Docker Interface TcpDump

Investigating network problems within docker can be tricky. Let’s see how to get more details how to see the communication between docker and host.

If you are familiar with wireshark and linux, then probably you have also heard about tcpdump. If not, then it is a tool we can use to see what is happening on the interface (network), in our case used by docker to communicate with host, via tcp. The first problem we face is when you run multiple containers then each of them gets a virtual interface with some weird name like veth988ee0c. But which one actually coresponds to which container?

Firstly, lets assume we have a running container called notebook (I use docker mainly for running jupyter notebooks, that’s where the names comes from). The simplest way to list the interface used for communication with host is by running the command below, we do not even need to enter the cotainer (attach, or launch bash).

user@host:~$ docker exec notebook ip -o -4 ad
1: lo inet scope host lo\ valid_lft forever preferred_lft forever
6: eth0 inet scope global eth0\ valid_lft forever preferred_lft forever

In this case I have only two interfaces in docker, probably the most typical case. And I know it communicates with host using eth0. So, let’s identify this interface on the host machine. To do that we need to get ifindex of the interface. We can get it by running (note the eth0 in the path name).

user@host:~$ docker exec notebook cat /sys/class/net/eth0/iflink

In my cae it returned number 7. Now we may find interface with the corresponding ifindex value.

user@host:~$ ip ad | grep ^7:
7: veth988ee0c@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default

Given that we may peek on the trafic on this interface on the host machine.

user@host:~$ sudo tcpdump -i veth988ee0c
[sudo] password for user:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth988ee0c, link-type EN10MB (Ethernet), capture size 262144 bytes
00:48:05.668500 IP > gateway.59921: Flags [P.], seq 2173393322:2173393324, ack 1603140641, win 34398, length 2

Of course all that can be run with a one line command.

ip ad | grep ^$(docker exec notebook cat /sys/class/net/eth0/iflink): | grep -o ' [^@]*' | head -n 1 | xargs sudo tcpdump -i

Hopefully that can help you analyzing what is happening with your packets sent form the docker on the host side. If you need to check them on the docker side just run tcpdump within the docker.

Leave a Reply