This is a follow-up to a previous post about install tcpdump in boot2docker. On Tiny Core Linux tcpdump currently has a broken dependancy chain - netfilter fails to install with a 404 for the specific version. Since writing that post, I’ve been using tshark over SSH to debug remote hosts and realized the same technique can apply to a boot2docker VM.
This assumes you already have both wireshark and docker installed, so if you don’t go do that. I’ll wait.
Create the image
An Alpine Linux image with tshark installed comes in at ~92mb. Its a little bit hefty for a tool like this; although tcpdump is much smaller, I prefer the expressiveness of the capture filters for tshark.
Save the contents below as a Dockerfile and run
docker build -t tshark . from that directory.
FROM alpine RUN apk add --no-cache tshark ENTRYPOINT ["dumpcap", "-P", "-w", "-", "-i", "eth0", "-"]
Now to start capturing all of traffic on your Docker VM, run:
wireshark -k -i <(docker run --name netcap --net=host tshark); docker rm -f netcap
Filters can be added after tshark. For example, to capture traffic just on port 8080 you can change the command to
docker run --name netcap --net=host tshark -f 'tcp port 8080'. Killing wireshark will also stop the capture and delete the container.
What it does
The tshark container is created with the host network. By default a separate bridged interface is used, which gives containers access to each other but not the host.
dumpcap is run on the default eth0 interface and outputs all traffic in pcap format to stdout. The stdout/stderr for the container is passed through an anonymous FIFO pipe to wireshark, allowing you to monitor everything live.
docker rm instead of just passing the
--rm flag is necessary since the container inside the pipe is not actually stopped when wireshark stops.