How to TCPdump effectively in Docker
NEW: Hands-on labs available https://cloudyuga.guru/hands_on_lab/tcpdump_docker.
Containers can use the network stack in a few different ways. It all depends on how they connect to the network. A couple of options are:
- docker bridge
- host (ex.
$docker run --rm -it --net=host ...) - container networks (ex.
$docker run --rm -it --net=container:id ...) - overlay
Building a container and run good old stuff like TCPdump or ngrep would not yield much interesting information, because you link directly to the bridge network or overlay in a default scenario.
The good news is, that you can link your TCPdump container to the host network or even better, to the container network stack.
In the --net=hostcase, you can capture all traffic between the host and the physical network.
In the --net=container:id all traffic in/out a specific container (or group of containers) can be captured.
So let’s get started !
First create a TCPdump container
docker build -t tcpdump - <<EOF
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
CMD tcpdump -i eth0
EOFNow lets run a network, an nginx container … and run some traffic
$ docker network create demo-net
$ docker run -d --network demo-net --name wwwnginx nginx
$ docker…