How costly would using pcap to monitor 15-30 interfaces be?

9/30/2018

With docker networking in one standard configuration, each container has it's own virtual NIC.

I'm interested in monitoring all those simultaneously, scraping IP src and dst address as well as TCP or UDP src and dst port if applicable.

How costly is doing this likely to be?

Is there any way to do what I want which is monitoring just the docker bridge interface when in bridge mode?

When dealing with multiple docker networks communicating with each other via flannel in Kubernetes, I found that many src and dst IP addressee were just the bridge address. (Presumably, the bridge does NAT, but for some reason, I wasn't seeing translation rules under iptables -t nat -L)

-- FullTimeCoderPartTimeSysAdmin
docker
kubernetes
libpcap

1 Answer

9/30/2018

It is considerable. If you are doing pcap inside the containers you might run into 2-3 times more CPU computation overhead from your applications. But in reality, it all depends on how you are capturing, is your expression capturing every single packet? Does your application have heavy traffic?

Another question here offers more insights: How intrusive is tcpdump?

As you have already mentioned, if you capture just on the bridged interface you might be already seeing the translated/masqueraded addresses.

-- Rico
Source: StackOverflow