skip to Main Content

In the past, we’ve successfully used nicolaka/netshoot to capture network traffic of Docker containers run with docker-compose:

$ cat docker-compose.yml
version: "3.6"
services:
  tcpdump:
    image: nicolaka/netshoot
    depends_on:
      - nginx
    command: tcpdump -i any -w /data/nginx.pcap
    network_mode: service:nginx
    volumes:
      - $PWD/data:/data

  nginx:
    image: nginx:alpine
    ports:
      - 80:80
$ docker-compose up
WARNING: The Docker Engine you're using is running in swarm mode.

Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.

To deploy your application across the swarm, use `docker stack deploy`.

Creating network "netshoot_default" with the default driver
Creating netshoot_nginx_1 ... done
Creating netshoot_tcpdump_1 ... done
$ curl -s -o /dev/null http://localhost
$ docker-compose down
Stopping netshoot_tcpdump_1 ... done
Stopping netshoot_nginx_1   ... done
Removing netshoot_tcpdump_1 ... done
Removing netshoot_nginx_1   ... done
Removing network netshoot_default
$ tshark -2 -r data/nginx.pcap http
   13   4.760638   172.25.0.1 → 172.25.0.2   HTTP 145 GET / HTTP/1.1
   17   4.760866   172.25.0.2 → 172.25.0.1   HTTP 684 HTTP/1.1 200 OK  (text/html)
$

Unfortunately, this doesn’t seem to work if the containers are started with docker stack create because network_mode is not supported:

$ docker stack deploy -c docker-compose.yml netshoot
Ignoring unsupported options: network_mode

Creating network netshoot_default
Creating service netshoot_tcpdump
Creating service netshoot_nginx
$ curl -s -o /dev/null http://localhost
$ docker stack rm netshoot
Removing service netshoot_nginx
Removing service netshoot_tcpdump
Removing network netshoot_default
$ tshark -2 -r data/nginx.pcap http
$ tshark -2 -r data/nginx.pcap tcp
      6   4.221820   172.18.0.1 → 172.18.0.2   TCP 80 63798 → 80 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=191764735 TSecr=0 WS=128
$

How can we configure our netshoot containers in the docker-compose.yml so they share the network interfaces of other containers even if they are started via docker stack create?

2

Answers


  1. from there : https://forums.docker.com/t/how-to-tcpdump-inter-service-traffic/23463/4

    overlay network traffic in swarm does not go thru docker0 or docker_gwbridge.
    There are 2 options:
    option 1:
    Go inside container and do tcpdump:
    nicolaka/netshoot is container with all network debug tools.

    docker run -ti --net container: <container name/id> nicolaka/netshoot
    tcpdump -i <eth0>
    

    Option 2:
    Go inside network namespace of overlay network and do tcpdump:
    First find overlay network id with docker network inspect
    Start debug container mounting network namespace:

    docker run -it --rm -v /var/run/docker/netns:/var/run/docker/netns --privileged=true nicolaka/netshoot
    

    All namespaces are listed under:
    /var/run/docker/netns

    Find your swarm overlay network namespace matching with overlay networkid of previous command.
    Then enter into network namespace:

    nsenter --net=/var/run/docker/netns/ sh
    tcpdump -i vxlan0
    
    Login or Signup to reply.
  2. I don’t know if this works for what you are trying to do, but you can still attach to the network namespace of a service container.

    Assuming that you have passwordless ssh setup to your docker swarm nodes such that:
    docker -H ssh://user@nodeN container ls retrieves the container list from one of your docker nodes then:

    docker service ps --no-trunc service_of_interest
    

    will return the ID, Name and Node of each service task. Choose one. then simply run netshoot on the same node:

    docker -H ssh://user@$NODE run --rm -it --network container:$NAME.$ID nicolaka/netshoot

    You can automate this from, say, a Makefile. But putting it in a docker-compose.yml is not going to fly as you need to supply too many dynamically looked up details and invoke docker on the specific node.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search