Question posted in 
In the past, we’ve successfully used nicolaka/netshoot to capture network traffic of Docker containers run with docker-compose:
$ cat docker-compose.yml
version: "3.6"
services:
tcpdump:
image: nicolaka/netshoot
depends_on:
- nginx
command: tcpdump -i any -w /data/nginx.pcap
network_mode: service:nginx
volumes:
- $PWD/data:/data
nginx:
image: nginx:alpine
ports:
- 80:80
$ docker-compose up
WARNING: The Docker Engine you're using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use `docker stack deploy`.
Creating network "netshoot_default" with the default driver
Creating netshoot_nginx_1 ... done
Creating netshoot_tcpdump_1 ... done
$ curl -s -o /dev/null http://localhost
$ docker-compose down
Stopping netshoot_tcpdump_1 ... done
Stopping netshoot_nginx_1 ... done
Removing netshoot_tcpdump_1 ... done
Removing netshoot_nginx_1 ... done
Removing network netshoot_default
$ tshark -2 -r data/nginx.pcap http
13 4.760638 172.25.0.1 → 172.25.0.2 HTTP 145 GET / HTTP/1.1
17 4.760866 172.25.0.2 → 172.25.0.1 HTTP 684 HTTP/1.1 200 OK (text/html)
$
Unfortunately, this doesn’t seem to work if the containers are started with docker stack create because network_mode is not supported:
$ docker stack deploy -c docker-compose.yml netshoot
Ignoring unsupported options: network_mode
Creating network netshoot_default
Creating service netshoot_tcpdump
Creating service netshoot_nginx
$ curl -s -o /dev/null http://localhost
$ docker stack rm netshoot
Removing service netshoot_nginx
Removing service netshoot_tcpdump
Removing network netshoot_default
$ tshark -2 -r data/nginx.pcap http
$ tshark -2 -r data/nginx.pcap tcp
6 4.221820 172.18.0.1 → 172.18.0.2 TCP 80 63798 → 80 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=191764735 TSecr=0 WS=128
$
How can we configure our netshoot containers in the docker-compose.yml so they share the network interfaces of other containers even if they are started via docker stack create?
2
Answers
from there : https://forums.docker.com/t/how-to-tcpdump-inter-service-traffic/23463/4
overlay network traffic in swarm does not go thru docker0 or docker_gwbridge.
There are 2 options:
option 1:
Go inside container and do tcpdump:
nicolaka/netshoot is container with all network debug tools.
Option 2:
Go inside network namespace of overlay network and do tcpdump:
First find overlay network id with docker network inspect
Start debug container mounting network namespace:
All namespaces are listed under:
/var/run/docker/netns
Find your swarm overlay network namespace matching with overlay networkid of previous command.
Then enter into network namespace:
I don’t know if this works for what you are trying to do, but you can still attach to the network namespace of a service container.
Assuming that you have passwordless ssh setup to your docker swarm nodes such that:
docker -H ssh://user@nodeN container lsretrieves the container list from one of your docker nodes then:will return the ID, Name and Node of each service task. Choose one. then simply run netshoot on the same node:
docker -H ssh://user@$NODE run --rm -it --network container:$NAME.$ID nicolaka/netshootYou can automate this from, say, a Makefile. But putting it in a docker-compose.yml is not going to fly as you need to supply too many dynamically looked up details and invoke docker on the specific node.