How to TCPdump effectively in Docker

Philippe Bogaerts
2 min readJan 24, 2017

NEW: Hands-on labs available

Containers can use the network stack in a few different ways. It all depends on how they connect to the network. A couple of options are:

  • docker bridge
  • host (ex. $docker run --rm -it --net=host ...)
  • container networks (ex. $docker run --rm -it --net=container:id ...)
  • overlay

Building a container and run good old stuff like TCPdump or ngrep would not yield much interesting information, because you link directly to the bridge network or overlay in a default scenario.

The good news is, that you can link your TCPdump container to the host network or even better, to the container network stack.

In the --net=hostcase, you can capture all traffic between the host and the physical network.

In the --net=container:id all traffic in/out a specific container (or group of containers) can be captured.

So let’s get started !

First create a TCPdump container

docker build -t tcpdump - <<EOF 
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
CMD tcpdump -i eth0

Now lets run a network, an nginx container … and run some traffic

$ docker network create demo-net
$ docker run -d --network demo-net --name wwwnginx nginx
$ docker run -it --network demo-net dockersec/siege \
-c 1 http://wwwnginx/

Now open a new shell and link the TCPdump container

$ docker run -it --net=container:wwwnginx tcpdumpor if you want to specify tcpdump flags and filters$ docker run -it --net=container:wwwnginx tcpdump tcpdump port 80

14:38:05.095483 IP 86fde53b1869.80 > 08f18be305e8.demo-net.41274: Flags [F.], seq 846, ack 149, win 235, options [nop,nop,TS val 2062442 ecr 2062442], length 0
14:38:05.095564 IP 08f18be305e8.demo-net.41274 > 86fde53b1869.80: Flags [F.], seq 149, ack 847, win 247, options [nop,nop,TS val 2062442 ecr 2062442], length 0
14:38:05.095607 IP 86fde53b1869.80 > 08f18be305e8.demo-net.41274: Flags [.], ack 150, win 235, options [nop,nop,TS val 2062442 ecr 2062442], length 0
14:38:06.097784 IP 08f18be305e8.demo-net.41276 > 86fde53b1869.80: Flags [S], seq 2606688608, win 29200, options [mss 1460,sackOK,TS val 2062543 ecr 0,nop,wscale 7], length 0
14:38:06.097846 IP
Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!