Observing Packets Between Your Containers
Eliminate Cloud Blind Spots and Reduce MTTR with Virtual TAPs Powered by eBPF
Containerized workloads run the modern enterprise. Teams reach for Kubernetes and Docker to package workloads, accelerate deployment pipelines, and scale resilient applications across hybrid and multi-cloud estates. But the same abstractions that make containers powerful – pods, services, overlay networks, and dynamic scaling – also make them opaque.
Roughly 80% of traffic in a modern data center moves east-west, laterally between workloads, and a large share of it never leaves the host on which it runs. This makes it difficult to diagnose and triage issues with containerized applications. When something breaks or a threat moves quietly between services, logs and metrics tell you that something is wrong. They don’t always tell you critical information – what happened, when and where it happened, and why it occurred in your network.
cPacket is closing that gap. With immediate packet-level visibility between containers, cTap-V accelerates incident triage, lowers mean time to resolution (MTTR), and eases tool overload by feeding each tool only the traffic that matters. And because everyone works from the same packet-level evidence, SecOps and NetOps collaborate more effectively.
The blind spot logs can't fill
Metrics and traces reveal network state as reported by infrastructure components. They don't capture what is actually happening on the wire between components: the retransmissions, latency spikes, zero-window sessions, and misconfigurations that live in the connections rather than inside any single service. The orchestrator's control plane abstracts the infrastructure away, so NetOps and SecOps teams are left correlating IPs and network interfaces with varying capabilities on one side with pods and namespaces on the other, speaking two different languages. When operating in multi-cloud scenarios – with various container network interfaces (CNI) from AWS VPC, Azure, or Google Cloud – correlation quickly becomes layered and complex.
Packets provide the definitive evidence needed to validate what logs, metrics, and traces suggest has occurred on the network. cPacket’s virtual tap solution, cTap-V, provides NetOps and SecOps teams with immediate, packet-level visibility into east-west traffic between workloads and north-south traffic crossing the cluster or host boundary, eliminating the blind spots that would otherwise exist.
One eBPF engine, two container worlds
cTap-V is built on eBPF (Extended Berkeley Packet Filter), a Linux kernel technology that lets verified, sandboxed programs run safely inside the kernel without modifying kernel source or loading risky modules. Acquisition happens in the kernel itself, keeping the eBPF data path out of your application containers and host overhead to a minimum. There are no sidecars to inject and no pods to restart.
cTap-V serves as a single acquisition engine that adapts to its environment:
- Kubernetes: cTap-V deploys as a node-level virtual tap that mirrors pod traffic and forwards it downstream, with optional filtering by namespace, K8s labels and other variables. It observes and mirrors traffic between pods on the same node and across different nodes.
- Docker: For workloads running directly on Docker, cTap-V makes container-to-container traffic visible on the same host and across hosts, with no orchestration layer required. Because acquisition happens at the host kernel, you observe both sides of every conversation.
One consistent visibility model operates across both orchestrated and non-orchestrated deployments, minimizing deployment complexity and eliminating the need for different solutions across different environments.
cTap-V uses the Linux kernel's eBPF verifier and standard security mechanisms to safely load its packet acquisition programs. Deployment requires only the permissions necessary to attach eBPF programs and does not modify application containers or kernel source.
Coexisting with Cilium, not competing with it
Some clusters use Cilium to handle their networking, which creates a tricky problem: Cilium can grab a packet and send it on before other monitoring tools can inspect it. If a virtual tap is behind Cilium in the Traffic Control eXtension (TCX) program chain, it could miss that traffic entirely.
cTap-V solves this by making sure it sees each packet first. It detects when Cilium is present and positions itself ahead of it using TCX, takes a copy of the packet, and then hands it back to Cilium. cTap-V only watches and copies; it never changes, delays, or interferes with the traffic Cilium is managing. The result is complete packet-level visibility and interoperability with Cilium-based clusters, with no change to how your network already works. We also solve scenarios where TCX program-chaining is not present.
See everything. Capture what matters.
Unlike traditional network taps that mirror everything, cTap-V intelligently filters, slices, and directs packet traffic, so each downstream tool receives exactly the data it needs. This cuts tool load and storage costs without sacrificing visibility. Granular filtering by Kubernetes namespace, label, service name, or classic 5-tuple sends each tool only the traffic it should see, so an NDR platform, an NPM tool, and a forensics store each get a precisely tailored feed.
By mirroring curated feeds to cPacket’s cStor-V virtual capture appliance for analytics to cVu-V packet brokers for multi-target replication, or to your existing security stack, you can surface insights and KPIs across your hybrid cloud deployment through cClear-V Control Center.
For SecOps, that means full-fidelity capture to validate alerts, trace lateral movement, and reconstruct an incident with complete context. For NetOps, it means faster incident triage and root-cause analysis in minutes instead of hours, driving down mean time to resolution (MTTR). In summary, it means finally having the visibility to see what's really happening between your containers.



