How to TCPdump effectively in Docker

Philippe Bogaerts
Jan 24, 2017 · 2 min read

Containers can use the network stack in a few different ways. It all depends on how they connect to the network. A couple of options are:

  • docker bridge
  • host (ex. $docker run --rm -it --net=host ...)
  • container networks (ex. $docker run --rm -it --net=container:id ...)
  • overlay

Building a container and run good old stuff like TCPdump or ngrep would not yield much interesting information, because you link directly to the bridge network or overlay in a default scenario.

The good news is, that you can link your TCPdump container to the host network or even better, to the container network stack.

In the --net=hostcase, you can capture all traffic between the host and the physical network.

In the --net=container:id all traffic in/out a specific container (or group of containers) can be captured.

So let’s get started !

First create a TCPdump container

docker build -t tcpdump - <<EOF 
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
CMD tcpdump -i eth0

Now lets run a network, an nginx container … and run some traffic

$ docker network create demo-net
$ docker run -d --network demo-net --name wwwnginx nginx
$ docker run -it --network demo-net dockersec/siege \
-c 1 http://wwwnginx/

Now open a new shell and link the TCPdump container

$ docker run -it --net=container:wwwnginx tcpdumpor if you want to specify tcpdump flags and filters$ docker run -it --net=container:wwwnginx tcpdump tcpdump port 80

14:38:05.095483 IP 86fde53b1869.80 > 08f18be305e8.demo-net.41274: Flags [F.], seq 846, ack 149, win 235, options [nop,nop,TS val 2062442 ecr 2062442], length 0
14:38:05.095564 IP 08f18be305e8.demo-net.41274 > 86fde53b1869.80: Flags [F.], seq 149, ack 847, win 247, options [nop,nop,TS val 2062442 ecr 2062442], length 0
14:38:05.095607 IP 86fde53b1869.80 > 08f18be305e8.demo-net.41274: Flags [.], ack 150, win 235, options [nop,nop,TS val 2062442 ecr 2062442], length 0
14:38:06.097784 IP 08f18be305e8.demo-net.41276 > 86fde53b1869.80: Flags [S], seq 2606688608, win 29200, options [mss 1460,sackOK,TS val 2062543 ecr 0,nop,wscale 7], length 0
14:38:06.097846 IP

Philippe Bogaerts

Written by

BruCON co-founder, OWASP supporter, AviNetworks presales engineer and Docker enthusiast! Interested in webapp security and pentesting, music and food !!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade