A Docker Container To Capture All Traffic From Host.

6704 Views

Yesterday I was in a situation where I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.

Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:

tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96





…but this is 2016 and we have containers! (Not An Actual Docker Container.)





So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.

So now in the future when anyone wants to record all the traffic from a server all they have to do is run

docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump

and the pcaps will save in their home directory.

If you want to build your own copy here is everything I have in the dockerfile:

FROM debian

RUN apt-get update && apt-get install -y \

tcpdump

RUN mkdir /pcap

RUN cd /pcap

WORKDIR /pcap

CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96

From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run

docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apache

and all files captured will be displayed at http://hostip:1337.

Happy tcpdumping!