A Docker Container To Capture All Traffic From Host.

Yesterday I was in a situation where  I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.

Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:
tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96


…but this is 2016 and we have containers!20-ft-container(Not An Actual Docker Container.)


So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.

So now in the future when anyone wants to record all the traffic from a server all they have to do is run
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump
and the pcaps will save in their home directory.

Screen Shot 2016-05-28 at 11.23.15 AM

If you want to build your own copy here is everything I have in the dockerfile:
FROM debian
RUN apt-get update && apt-get install -y \
tcpdump
RUN mkdir /pcap
RUN cd /pcap
WORKDIR /pcap
CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96

From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run
docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apache
and all  files captured will be displayed at http://hostip:1337.

Screen Shot 2016-05-28 at 11.50.16 AM

Happy tcpdumping!

Site Footer