- Newest
- Most votes
- Most comments
You're right — >traffic mirroring does not support requester-managed ENIs, including those used in ECS with awsvpc mode. Unfortunately, this limitation rules out using VPC traffic mirroring on these interfaces directly.
Here's what you can do:
- Capture traffic inside the ECS container itself If your ECS tasks are running in awsvpc mode, each task gets its own ENI. While you can’t attach a traffic mirror to this ENI, you can still run packet capture tools inside the container or ECS task.
Add tcpdump or wireshark to your container image.
Run a command like:
tcpdump -i eth0 -w /tmp/capture.pcap
You can then copy the .pcap out of the container or ship it to S3 for analysis.
Note: If you're using Fargate, this won’t work — you’ll need EC2-backed ECS.
- Use a sidecar container for packet capture
For ECS EC2 launch type, you can run a privileged sidecar container in the same task definition with networkMode: awsvpc. Use this container to capture traffic via shared ENI.
Enable CAP_NET_RAW, CAP_NET_ADMIN in container task role.
Mount a shared volume to write .pcap files.
Run tcpdump in the sidecar.
- If you control the EC2 host (ECS-optimized AMI) You can SSH into the EC2 instance and identify the ENI attached to the container using: ip addr
Then run:
sudo tcpdump -i <eni-device-name> -w /tmp/container-capture.pcap
This is only viable if your security policies allow host access.
Relevant content
- asked 2 years ago
- asked 3 years ago
