K
Q

How costly would using pcap to monitor 15-30 interfaces be?

9/30/2018

With docker networking in one standard configuration, each container has it's own virtual NIC.

I'm interested in monitoring all those simultaneously, scraping IP src and dst address as well as TCP or UDP src and dst port if applicable.

How costly is doing this likely to be?

Is there any way to do what I want which is monitoring just the docker bridge interface when in bridge mode?

When dealing with multiple docker networks communicating with each other via flannel in Kubernetes, I found that many src and dst IP addressee were just the bridge address. (Presumably, the bridge does NAT, but for some reason, I wasn't seeing translation rules under iptables -t nat -L)

-- FullTimeCoderPartTimeSysAdmin
docker
kubernetes
libpcap

Similar Questions

Can I Connect OVH Loadbalancer to my Kubernetes Cluster from OVH Cloud provider
Kubernetes enable service for HTTPS
Helm dependency update when upgrading chart
Can I use a previous GCP Ubuntu OS version on GKE?
Elasticsearch unassigned shards : corrupt_index_exception, no_valid_shard_copy, e_o_f_exception
NodePort conflicts wiht kube-apiserver's hostPort
using a raspberry pi for administrating remotely k8s clusters

1 Answer

9/30/2018

It is considerable. If you are doing pcap inside the containers you might run into 2-3 times more CPU computation overhead from your applications. But in reality, it all depends on how you are capturing, is your expression capturing every single packet? Does your application have heavy traffic?

Another question here offers more insights: How intrusive is tcpdump?

As you have already mentioned, if you capture just on the bridged interface you might be already seeing the translated/masqueraded addresses.

-- Rico
Source: StackOverflow