I have a issue running tcpdump -i eth0 inside a container ! it failed after 6 to 8 seconde !
root@graylog3:~# time tcpdump -i eth0
real 0m7.265s
user 0m0.000s
sys 0m0.011s
After investigation with strace i see some permission dedied
read(4, “127.0.0.1 localhost\n192.168.1.15”…, 512) = 244
close(4) = 0
write(1, "12:12:38.834828 IP graylog3.ssh "…, 8192) = -1 EACCES (Permission denied)
write(2, "tcpdump: ", 9) = -1 EACCES (Permission denied)
write(2, “Unable to write output: Permissi”…, 41) = -1 EACCES (Permission denied)
write(2, “\n”, 1) = -1 EACCES (Permission denied)
exit_group(1) = ?
+++ exited with 1 +++
root@graylog3:~#
I know i could use the host interface to tcdump the vethxxxx interface, but i need to see what veth is related to each container, also I don’t want to give root access to the host to the local container admin.
Tested on 3.18 and 3.19
Any idea ?
stgraber
(Stéphane Graber)
January 27, 2020, 5:40pm
2
tcpdump sometimes conflicts with apparmor and tty allocation inside containers.
You could try running script /dev/null -c "tcpdump -i eth0"
which will cause the creation of a new pseudo tty inside the container, usually taking care of the issue.
Usually tshark has escaped the apparmor ‘fixes’ and works just as well as tcpdump.
Just try with script
root 1383 997 0 19:48 pts/0 00:00:00 script /dev/null -c tcpdump -i eth0
root 1384 1383 0 19:48 ? 00:00:00 [tcpdump] < defunct >
But wait ! tshark work like a charm !
root@graylog3:~# tshark -i eth0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
1 0.000000000 192.168.1.206 → 192.168.1.255 UDP 63 37327 → 32412 Len=21
2 0.121170700 192.168.1.171 → 192.168.1.255 UDP 77 46163 → 15600 Len=35
3 0.208232217 SamsungE_b7:11:ed → Broadcast ARP 60 Who has 192.168.1.1? Tell 192.168.1.171
4 0.213570973 192.168.1.206 → 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
5 0.257489540 Sonos_49:bc:42 → Broadcast 0x6970 74 Ethernet II
6 0.431601613 192.168.1.166 → 192.168.1.155 HTTP 1213 POST /api/cluster/metrics/multiple HTTP/1.1 (application/json)
7 0.438601800 192.168.1.155 → 192.168.1.166 HTTP 935 HTTP/1.1 200 OK (application/json)
8 0.438802880 192.168.1.166 → 192.168.1.155 TCP 66 32786 → 9000 [ACK] Seq=1148 Ack=870 Win=443 Len=0 TSval=1637119592 TSecr=2953593125
9 0.566144601 192.168.1.155 → 192.168.1.166 SSH 182 Server: Encrypted packet (len=116)
10 0.566184422 192.168.1.155 → 192.168.1.166 SSH 286 Server: Encrypted packet (len=220)
11 0.566254307 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=117 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
12 0.566259099 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=337 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
13 0.566272634 192.168.1.155 → 192.168.1.166 SSH 190 Server: Encrypted packet (len=124)
14 0.566390780 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=461 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
15 0.566406679 192.168.1.155 → 192.168.1.166 SSH 174 Server: Encrypted packet (len=108)
16 0.566494029 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=569 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
17 0.792323814 192.168.1.166 → 192.168.1.155 HTTP 636 GET /api/system/notifications HTTP/1.1
18 0.794764595 192.168.1.155 → 192.168.1.166 HTTP 316 HTTP/1.1 200 OK (application/json)
19 0.794887088 192.168.1.166 → 192.168.1.155 TCP 66 32786 → 9000 [ACK] Seq=1718 Ack=1120 Win=443 Len=0 TSval=1637119948 TSecr=2953593481
20 0.984132664 Cisco_ef:4f:5f → Spanning-tree-(for-bridges)_00 STP 60 RST. Root = 32768/0/00:08:9b:f3:1e:18 Cost = 20000 Port = 0x83ea
21 1.078128286 192.168.1.155 → 192.168.1.166 SSH 230 Server: Encrypted packet (len=164)
22 1.078315182 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=733 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
23 1.078719801 192.168.1.155 → 192.168.1.166 SSH 342 Server: Encrypted packet (len=276)
24 1.078780538 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
25 1.078831467 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1009 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
26 1.078854423 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
27 1.078876935 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1141 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
28 1.078942410 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
29 1.078978392 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1273 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
30 1.078987241 192.168.1.155 → 192.168.1.166 SSH 478 Server: Encrypted packet (len=412)
31 1.079040417 192.168.1.155 → 192.168.1.166 SSH 334 Server: Encrypted packet (len=268)
32 1.079074543 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1453 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
33 1.079077111 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1865 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
34 1.079124354 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2133 Win=443 Len=0 TSval=1637120232 TSecr=2953593766
35 1.079155073 192.168.1.155 → 192.168.1.166 SSH 206 Server: Encrypted packet (len=140)
36 1.079225038 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2273 Win=443 Len=0 TSval=1637120233 TSecr=2953593766
37 1.079234793 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
38 1.079285986 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
39 1.079323497 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2405 Win=443 Len=0 TSval=1637120233 TSecr=2953593766
40 1.079372508 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2585 Win=443 Len=0 TSval=1637120233 TSecr=2953593766
41 1.168693511 192.168.1.171 → 224.0.0.7 UDP 217 8001 → 8001 Len=175
^C 42 1.425077668 192.168.1.165 → 192.168.1.255 UDP 63 51454 → 32412 Len=21
43 1.594022919 192.168.1.155 → 192.168.1.166 SSH 342 Server: Encrypted packet (len=276)
44 1.594086929 192.168.1.155 → 192.168.1.166 SSH 378 Server: Encrypted packet (len=312)
45 1.594157412 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2861 Win=443 Len=0 TSval=1637120747 TSecr=2953594281
46 1.594169344 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
47 1.594162714 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3173 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
48 1.594214540 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
49 1.594254631 192.168.1.155 → 192.168.1.166 SSH 378 Server: Encrypted packet (len=312)
50 1.594251811 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3305 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
51 1.594299129 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3485 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
52 1.594315606 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
53 1.594349468 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3797 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
54 1.594353725 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
55 1.594398893 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3929 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
56 1.594448414 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4109 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
57 1.594456244 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
58 1.594499802 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
59 1.594507215 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
60 1.594548471 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4241 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
61 1.594557873 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
62 1.594598234 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4553 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
63 1.594631033 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
64 1.594681184 192.168.1.155 → 192.168.1.166 SSH 378 Server: Encrypted packet (len=312)
65 1.594700370 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4733 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
66 1.594731972 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
67 1.594748456 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4913 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
68 1.594765296 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
69 1.594796617 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
70 1.594797312 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5225 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
71 1.594848220 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5357 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
72 1.594866375 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
73 1.594897116 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5669 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
74 1.594948517 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5849 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
75 1.594968616 192.168.1.155 → 192.168.1.166 SSH 182 Server: Encrypted packet (len=116)
76 1.595046529 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5965 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
76 packets captured