We use a lab based on the tcplife tool from the BCC collection. This lets students trace TCP sessions and, importantly, view the total bytes transferred. This is a better option for discovering a 'noisy neighbor' than simply counting packets; it tells you which pod is consuming all the network. So what do we need to do to enable this in a constrained teaching cluster? A quick answer is the pod's securityContext in the pod YAML manifest. Rather than giving out indiscriminate, dangerous privileges, we only give the pod what it needs to be able to use the system calls. So we add CAP_BPF and CAP_PERFMON to the container's capabilities, which gives the pod specific permission to the BPF syscall and access to performance monitoring tools without giving it complete access to the node.