[HOWTO] Capture the communication of and inside a Docker container using Wireshark with Edgeshark plugin

Having trouble with your containers’ communication? Unsure if their networking is correctly configured and traffic is correctly flowing…?

You can now with a single click start Wireshark and connect it to one of your running containers to see your container’s traffic live, so you can diagnose it.

No need to hack your container or mess around with complicated CLI lines and Wireshark-in-a-container. The services and tools for this are open source, see also GitHub - siemens/edgeshark: Discover and capture container network traffic from your comfy desktop Wireshark, using a containerized service and a Wireshark plugin..

Quick Start

First deploy two services (“Edgeshark”) to your Linux Docker host using this command:

wget -q --no-cache -O - \
  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose-localhost.yaml \
  | docker compose -f - up

Then download a Wireshark plugin from Releases · siemens/cshargextcap · GitHub and install it. Linux (AMD64/ARM64), macOS (AMD64/ARM64) and Windows (AMD64) are supported.

Finally navigate your web browser to http://127.0.0.1:5001 on your Docker host. You should now see a “wiring” view of your container workload. Docker Desktop users might be surprised to see also the whole DD networking infrastructure and services. Click on a “shark fin” button next to your container and Wireshark should be started and connected to your container’s traffic.

Apple users cannot use the “shark fin” buttons but instead need to manually start Wireshark and then configure the “Docker host capture” plugin.

Video

If you hate reading documentation and love watching YT, then we’ve got a introduction and background information video for you, too: http://www.youtube.com/watch?v=53dUH6cZ9rc. This is a recording of the class given at SharkFest 2023 in Brussels.

Hope you enjoy the tool!