How to TCPdump effectively in Docker

Philippe Bogaerts
2 min readJan 24, 2017

NEW: Hands-on labs available https://cloudyuga.guru/hands_on_lab/tcpdump_docker.

Containers can use the network stack in a few different ways. It all depends on how they connect to the network. A couple of options are:

  • docker bridge
  • host (ex. $docker run --rm -it --net=host ...)
  • container networks (ex. $docker run --rm -it --net=container:id ...)
  • overlay

Building a container and run good old stuff like TCPdump or ngrep would not yield much interesting information, because you link directly to the bridge network or overlay in a default scenario.

The good news is, that you can link your TCPdump container to the host network or even better, to the container network stack.

In the --net=hostcase, you can capture all traffic between the host and the physical network.

In the --net=container:id all traffic in/out a specific container (or group of containers) can be captured.

So let’s get started !

First create a TCPdump container

docker build -t tcpdump - <<EOF 
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
CMD tcpdump -i eth0
EOF

Now lets run a network, an nginx container … and run some traffic

$ docker network create demo-net
$ docker run -d --network demo-net --name wwwnginx nginx
$ docker…

--

--

Philippe Bogaerts
Philippe Bogaerts

Written by Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!

Responses (4)