I have a docker-compose with some containers which talk with each other.
This is the simplified file with only the service I m going to talk about:
services:
suricata:
build:
context: ./suricata
dockerfile: Dockerfile
image: suricata
container_name: suricata
cap_add:
- NET_ADMIN
- SYS_NICE
networks:
ship:
ipv4_address: 172.20.0.5networks:
ship:
ipam:
config:
- subnet: 172.20.0.0/16
gateway: 172.20.0.1
The compose creates a new network interface ( br-c7e65f5b40b9 ) and I used Wireshark to sniff its packages. This is the result:
As you can see, there are different packages and also some UDP which are the ones i’m interested on.
Then I run TcpDump inside the container and the result I get is:
15:54:48.308543 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:49.332500 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:50.356361 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:51.380724 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:52.404153 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:53.428061 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:54.452041 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:55.476384 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:56.502578 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:57.524108 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:58.548146 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:54:59.571945 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:55:00.596083 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:55:01.620785 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:55:02.644606 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:55:03.668022 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
15:55:04.692398 ARP, Request who-has 172.20.0.4 tell proxyais.ship_anomaly_detector_ship, length 28
…
…
…
Here TcpDump only sniff ARP packages ignoring all the other.
I need also to sniff the UDP ones, why can’t I do that?
Thank you in advace