Docker capture packets

efratushhh · July 14, 2016, 7:12am

I have a docker host with 3 containers running 3 different apps.

I’d like to install Suricata (IDS) / tcpdump on the host itself, to be able to: 1. Capture packets from a container and outside. 2. Capture packets between 2 containers.

Are 2 options possible? What is the procedure to get my goals?

nathanleclaire · July 14, 2016, 5:51pm

Seems perfectly doable. Take a look at the docker0 bridge which containers use for communication by default.

efratushhh · July 14, 2016, 7:24pm

Great!!! Thanks…

BTW, if I want to run a different container for capturing those packets ( mirroring), for example, running tcpdump on another container - how can I do mirroring from docker0 to that container?

‫

‫ב-14 ביולי 2016, בשעה 20:51, ‏‏Nathan Le Claire ‏docker@discoursemail.com כתב/ה:‬

nathanleclaire · July 14, 2016, 8:22pm

You could potentially create them in the same docker network or just use --net host on the tcpdump container.

efratushhh · July 30, 2016, 1:34pm

Hey Nathan, thanks for your help!

Another question please,

Assume I have container A with IP 172.10.12.22 that gets some TCP/UDP traffic on port 3000.

Now assume I have another container, B, with IP 172.10.12.33 that listens on port 4000.

I’d like B to set as a tap for container A (able to monitor all of the traffic that A gets)

In other words, I’d like to mirror every traffic that A gets (whether it come from outside or from another container), into container B.

Is there a docker command for this?

Thanks,
Efrat!

‫

‫ב-14 ביולי 2016, בשעה 23:22, ‏‏Nathan Le Claire ‏docker@discoursemail.com כתב/ה:‬

nathanleclaire · August 1, 2016, 6:00pm

I’d just have a reverse proxy container and direct all inbound requests to that first before reverse proxying to the destination container. That way you can do whatever you like with the data streams.

efratushhh · August 1, 2016, 11:05pm

Thanks! Can you provide with some detailed instructions of how to do this? Maybe a Dockerfile sample? It might help me a lot.

‫

‫ב-1 באוג׳ 2016, בשעה 21:00, ‏‏Nathan Le Claire ‏docker@discoursemail.com כתב/ה:‬

efratushhh · August 11, 2016, 4:10am

Hi,

got another question for you, regarding Swarm,

I’ve got a Swarm manager and 3 workers.

I’d like to write a python script that subscribes to changes that are made
with Swarm (for example, getting an alert once a container is being created
and running, or getting an alert once a container is stopped).

Is it possible?

Thanks,
Efrat