Analyzing container network traffic ... using other containers !

Containers can use the network stack in a few different ways:

- none

- docker bridge (or user defined networks and overlays)

- host (shares the network stack of the docker host)
- container networks (ex. docker run --net container:id ...)

Building a container and run good old tools like tcpdump or ngrep, or for the old-school hackers, dsniff, urlsnarf, etc... would not yield much interesting information, because you link the container to the default bridge network.

On the other, you can link you container to the host network --net=host or even to --net=container:id. In this case you can basically sniff the traffic from the entire host, or a specific container !


To build a container that runs dsniff is pretty simple. Take this Dockerfile:

FROM debian
RUN apt-get update && apt-get install -y dsniff
CMD dsniff -i eth0 -m

and build it like
docker build -t xxradar/dsniffcon .

You can now link the container to --net=host
docker run -it --net=host xxradar/dsniffcon 

root@host:~/dsniffcon# docker run -it --net=host xxradar/dsniffcon
dsniff: listening on eth0
-----------------
06/13/16 19:58:40 tcp 12.97.16.194.9143 -> www.foo.com.80 (http)
GET / HTTP/1.1
Host: www.foo.com
Authorization: Basic dGVzdDp0ZXN0cHc= [test:testpw] 


or to specific container (ex. a nginx container)

root@host::~/dsniffcon# docker run -it --net=container:a51ba... xxradar/dsniffcon
dsniff: listening on eth0
-----------------
06/13/16 20:00:56 tcp 12.97.16.194.5288 -> a51414ba0ff9.80 (http)
GET / HTTP/1.1Host: www.foo.com
Authorization: Basic dGVzdDp0ZXN0cHc= [test:testpw]