I have some customers who would like to be able to execute a tcpdump on
their container interface.

I made a quick attempt:

/usr/sbin$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
535: w4elk1d3ta31-1: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP mode DEFAULT group default qlen 1
link/ether 72:d5:fa:30:96:29 brd ff:ff:ff:ff:ff:ff

./tcpdump -i w4elk1d3ta31-1
tcpdump: w4elk1d3ta31-1: You don't have permission to capture on that device
(socket: Operation not permitted)

Anyone know if this is something that is impossible within an unprivileged
container? Or is there by chance something that can be done to enable
tcpdump from within a container?

It appears it is possible to enable tcpdump to work without root but not
sure if it would apply to our situation:
http://peternixon.net/news/2012/01/28/configure-tcpdump-work-non-root-user-opensuse-using-file-system-capabilities/

Thoughts?

Mike