46

There have many container running on the host. And I want to capture packets for the one container of these. Is there any way to do this?

sope
  • 1,619
  • 5
  • 19
  • 37
  • Wireshark is what you need – Rusty Sep 07 '16 at 06:45
  • Filter the network by the mac address. – Auzias Sep 07 '16 at 06:54
  • http://stackoverflow.com/questions/24611001/does-a-docker-container-have-its-own-tcp-ip-stack and https://github.com/manell/wireshark Check above two links might be helpfull. – Rusty Sep 07 '16 at 06:57
  • I am trying to find this too. This is what needs to be done but I am struggling to get the right commands. 1. Find the interface which docker creates in host. Remember that one would be internal interface in the docker container and one would be interface in the host. 2. We can simply do tcpdump on that interface using $tcpdump -i – Randeep Singh Jul 23 '17 at 13:13

4 Answers4

37

You can bind to the network namespace of one container to another:

docker run -it --rm --net container:<container_name> \
  nicolaka/netshoot tcpdump ...

To see more about the netshoot image used above, see: https://github.com/nicolaka/netshoot

BMitch
  • 231,797
  • 42
  • 475
  • 450
32

From and for a workstation with Wireshark:

docker exec -ti <container id> cat /sys/class/net/eth0/iflink

28

ip link | grep 28

28: veth11b0a6c@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

Wireshark interfaces

Etienne Gautier
  • 2,901
  • 4
  • 26
  • 35
13

  • First, get pid of the container you are interested in

    docker inspect --format "{{ .State.Pid }}" "$CONTAINER_ID"

  • Then enter the same network namespace

    nsenter -n -t "$PID"

  • Finally, run tcpdump

Ilya Kisil
  • 2,490
  • 2
  • 17
  • 31
weifan01
  • 159
  • 1
  • 4
0

In rare cases (or maybe when you create your own container images) the container may have tcpdump installed. In that case, you can issue the following command to get a 10 second capture saved to the host computer (outside of the container):

# Set CONATINER_ID to the process you want to perform a dump from
# Consider docker ps for finding the container id
# for example, CONTAINER_ID=$( docker ps | grep $IMAGE | awk '{print $1}' )
docker exec $CONTAINER_ID bash -c 'timeout 10 tcpdump -i eth0 -w /dev/stdout' > capture.pcap
Mark
  • 4,249
  • 1
  • 18
  • 27