Pivotal Knowledge Base


How to Snoop Traffic Going Through an Application in Diego Cell


Pivotal Cloud Foundry (PCF) 1.11+


This article explains how you can snoop packets going through applications running on your Pivotal Cloud Foundry deployment. It explains how to find the Linux network interface that is connected to an application so that you can execute the `tcpdump` command to snoop packets.

Besides `tcpdump`, you can also execute whatever you can do with the standard Linux commands that operate on the network interface, such as `ip`, `netstat`, etc.  This should be used when you want to debug or troubleshoot applications at the network traffic level.

Note that this requires operator administrative access to your PCF deployment. 


  1. For PCF 1.11 and above, follow the article How to get into an App Container Manually with Garden-RunC Backend up to step #6.  After running these steps, you should be SSH'd into the Diego Cell where your application is running and you should have located the container uuid. 
  2. Run `/var/vcap/packages/runc/bin/runc exec -t <container uuid> /sbin/ip link | grep ether | awk '{print $2}' | cut -f 4-6 -d ':'`, making sure to insert your container uuid at the marker.  The output will be the MAC address of the network adapter inside the container.
  3. Now run `ifconfig | grep "ff:1e:1d" | awk '{print $1}'`.  This will return the name of the network adapter that's being used by the host side of the container on the Diego Cell.  You can snoop on this interface to view all traffic going into and out of the container.
  4. You can use `tcpdump -i <interface>` from the host Diego Cell to snoop the traffic. 
  5. Besides tcpdump, you can do whatever you can do with standard Linux commands that operate on the network interface, such as ip, netstat, etc. 


  • You might inadvertently view sensitive information going through the application's traffic that you are snooping on.
  • This information is based on the implementation details of the Diego Cell, which may change at any time without formal notice.




  • Avatar
    Hector Li

    For versions 1.9 and above, suggest to use the following:

    hector_mac=`/var/vcap/packages/runc/bin/runc exec -t /sbin/ip link | grep ether | awk '{print $2}' | cut -f 4-6 -d ':'`; hector_interface=`ifconfig | grep $hector_mac | awk '{print $1}'`; tcpdump -i $hector_interface

Powered by Zendesk