Appendix_B_tcpdump_lab

Appendix B: Docker Network Sniffing with tcpdump Lab

This lab demonstrates how to use tcpdump to inspect network traffic within Docker environments. We will create a custom Docker image containing tcpdump, set up a simple web server, generate some traffic, and then use tcpdump to sniff that traffic.

1. Create a Custom tcpdump Image

Create a Dockerfile: Create a file named Dockerfile (no extension) in a new directory with the following content:
```
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
# Default command captures traffic on eth0.
# You can override this or add more specific tcpdump arguments at runtime.
CMD ["tcpdump", "-i", "eth0", "-n", "-s0", "-A"]
```
(Changed CMD to JSON format for clarity and added some common useful flags: -n to disable name resolution, -s0 to capture full packets, -A to print ASCII.)
Build the Docker image: Navigate to the directory containing your Dockerfile and run:
```
docker build -t my-tcpdump .
```
This creates an image named my-tcpdump that we can use later.

2. Set Up a Demo Network and Service

Create a Docker network: This allows containers to communicate with each other by name.
```
docker network create demo-net
```
Run an Nginx web server: This will be our target service to generate traffic to.
```
docker run -d --network demo-net --name wwwnginx nginx
```

3. Generate Traffic

Use a tool like siege (or even curl from another container on demo-net) to send HTTP requests to the Nginx server. The original example used dockersec/siege.

# Ensure the dockersec/siege image is available or use curl from another container:
# Example using siege:
docker run --rm -it --network demo-net dockersec/siege -c 1 -r 1 http://wwwnginx/
# Example using curl from an alpine container:
# docker run --rm -it --network demo-net alpine curl http://wwwnginx/

(Added --rm to siege/curl containers for auto-cleanup. Added note about siege image and alternative with curl.)

4. Sniffing Traffic

Now, we'll use our my-tcpdump image to inspect traffic on the wwwnginx container's network interface.

Sniff all traffic on wwwnginx: This command runs tcpdump from our my-tcpdump image but attaches it to the network namespace of the wwwnginx container.
```
docker run --rm -it --network container:wwwnginx my-tcpdump
```
(Used my-tcpdump image. Added --rm for auto-cleanup.) You should see the traffic generated in step 3. Press Ctrl+C to stop.
Sniff specific traffic (e.g., port 80): You can pass arguments to tcpdump to filter the captured traffic. Since our Dockerfile's CMD already includes tcpdump and some flags, we just add the filter expression.
```
docker run --rm -it --network container:wwwnginx my-tcpdump port 80
```
(Corrected the double tcpdump and used my-tcpdump image. The arguments port 80 will be appended to the CMD in the Dockerfile.)
Alternatively, if you wanted to completely override the Dockerfile's CMD and provide all tcpdump arguments:
```
# Example of overriding CMD:
# docker run --rm -it --network container:wwwnginx my-tcpdump tcpdump -i any -n -s0 -A port 80
```
(Added an example of how to override CMD if needed.)

Home

PreviousAppendix_A_docker_k8s_install NextKubernetes_getting_started

Last updated 6 months ago