cannot seem to pass a filter correctly

[christian-posta]

k sniff customer-7f8d477894-9gl96  -c istio-proxy  -p -f '((tcp) and (net $PREF_POD_IP))' -o ~/temp/foo.pcap
INFO[0000] sniffing method: privileged pod              
INFO[0000] using tcpdump path at: '/Users/ceposta/.krew/store/sniff/v1.3.1/static-tcpdump' 
INFO[0000] sniffing on pod: 'customer-7f8d477894-9gl96' [namespace: 'default', container: 'istio-proxy', filter: '((tcp)', interface: 'any'] 
INFO[0000] creating privileged pod on node: 'gke-ceposta-customer-gloo-gateway-poo-8111e7e4-fc87' 
INFO[0000] pod created: &Pod{ObjectMeta:k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta{Name:ksniff-4zwpm,GenerateName:ksniff-,Namespace:default,SelfLink:/api/v1/namespaces/default/pods/ksniff-4zwpm,UID:b128687c-415c-11ea-b17e-42010a8a0137,ResourceVersion:44002068,Generation:0,CreationTimestamp:2020-01-27 16:28:15 -0700 MST,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{kubernetes.io/limit-ranger: LimitRanger plugin set: cpu request for container ksniff-privileged,},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,},Spec:PodSpec{Volumes:[{docker-sock {HostPathVolumeSource{Path:/var/run/docker.sock,Type:*File,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}} {default-token-jgf24 {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-jgf24,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}],Containers:[{ksniff-privileged docker [sh -c sleep 10000000] []  [] [] [] {map[] map[cpu:{{100 -3} {<nil>} 100m DecimalSI}]} [{docker-sock true /var/run/docker.sock  <nil>} {default-token-jgf24 true /var/run/secrets/kubernetes.io/serviceaccount  <nil>}] [] nil nil nil /dev/termination-log File Always SecurityContext{Capabilities:nil,Privileged:*true,SELinuxOptions:nil,RunAsUser:nil,RunAsNonRoot:nil,ReadOnlyRootFilesystem:nil,AllowPrivilegeEscalation:nil,RunAsGroup:nil,ProcMount:nil,} false false false}],RestartPolicy:Never,TerminationGracePeriodSeconds:*30,ActiveDeadlineSeconds:nil,DNSPolicy:ClusterFirst,NodeSelector:map[string]string{},ServiceAccountName:default,DeprecatedServiceAccount:default,NodeName:gke-ceposta-customer-gloo-gateway-poo-8111e7e4-fc87,HostNetwork:false,HostPID:false,HostIPC:false,SecurityContext:&PodSecurityContext{SELinuxOptions:nil,RunAsUser:nil,RunAsNonRoot:nil,SupplementalGroups:[],FSGroup:nil,RunAsGroup:nil,Sysctls:[],},ImagePullSecrets:[],Hostname:,Subdomain:,Affinity:nil,SchedulerName:default-scheduler,InitContainers:[],AutomountServiceAccountToken:nil,Tolerations:[{node.kubernetes.io/not-ready Exists  NoExecute 0xc000366330} {node.kubernetes.io/unreachable Exists  NoExecute 0xc000366350}],HostAliases:[],PriorityClassName:,Priority:*0,DNSConfig:nil,ShareProcessNamespace:nil,ReadinessGates:[],RuntimeClassName:nil,EnableServiceLinks:*true,},Status:PodStatus{Phase:Pending,Conditions:[],Message:,Reason:,HostIP:,PodIP:,StartTime:<nil>,ContainerStatuses:[],QOSClass:Burstable,InitContainerStatuses:[],NominatedNodeName:,},} 
INFO[0000] waiting for pod successful startup           
INFO[0002] pod: 'ksniff-4zwpm' created successfully on node: 'gke-ceposta-customer-gloo-gateway-poo-8111e7e4-fc87' 
INFO[0002] output file option specified, storing output in: '/Users/ceposta/temp/foo.pcap' 
INFO[0002] starting remote sniffing using privileged pod 
INFO[0002] executing command: '[docker run --rm --name=ksniff-container-KCIooubl --net=container:b167089f8e6a8966551b7db278640703ddf9a92415dd68e863f2ee87305b72c1 corfr/tcpdump -i any -U -w - ((tcp)]' on container: 'ksniff-privileged', pod: 'ksniff-4zwpm', namespace: 'default' 
INFO[0003] command: '[docker run --rm --name=ksniff-container-KCIooubl --net=container:b167089f8e6a8966551b7db278640703ddf9a92415dd68e863f2ee87305b72c1 corfr/tcpdump -i any -U -w - ((tcp)]' executing successfully exitCode: '1', stdErr :'tcpdump: syntax error in filter expression: syntax error
' 
INFO[0003] remote sniffing using privileged pod completed 
INFO[0003] starting sniffer cleanup                     
INFO[0003] removing privileged container: 'ksniff-container-KCIooubl' 
INFO[0003] executing command: '[docker rm -f ksniff-container-KCIooubl]' on container: 'ksniff-privileged', pod: 'ksniff-4zwpm', namespace: 'default' 
INFO[0004] command: '[docker rm -f ksniff-container-KCIooubl]' executing successfully exitCode: '1', stdErr :'Error: No such container: ksniff-container-KCIooubl
' 
INFO[0004] privileged container: 'ksniff-container-KCIooubl' removed successfully 
INFO[0004] removing pod: 'ksniff-4zwpm'                 
INFO[0004] removing privileged pod: 'ksniff-4zwpm'      
INFO[0004] privileged pod: 'ksniff-4zwpm' removed       
INFO[0004] pod: 'ksniff-4zwpm' removed successfully     
INFO[0004] sniffer cleanup completed successfully    ```

[eldadru]

Amm, looks like a shell issue, I executed the same command (for different pod) and the filter successfully received by ksniff:

INFO[0000] sniffing method: privileged pod INFO[0000] using tcpdump path at: '/Users/eldadru/.krew/store/sniff/v1.3.1/static-tcpdump' INFO[0000] no container specified, taking first container we found in pod. INFO[0000] selected container: 'echoserver' INFO[0000] sniffing on pod: 'hello-minikube-797f975945-z6k4q' [namespace: 'default', container: 'echoserver', **filter: '((tcp) and (net $PREF_POD_IP))'**, interface: 'any'] INFO[0000] creating privileged pod on node: 'minikube'

In your case it seems ksniff gets the filter part as only '((tcp)'