TCPDUMP inside a container failed

I have a issue running tcpdump -i eth0 inside a container ! it failed after 6 to 8 seconde !

root@graylog3:~# time tcpdump -i eth0

real 0m7.265s
user 0m0.000s
sys 0m0.011s

After investigation with strace i see some permission dedied

read(4, “127.0.0.1 localhost\n192.168.1.15”…, 512) = 244
close(4) = 0
write(1, "12:12:38.834828 IP graylog3.ssh "…, 8192) = -1 EACCES (Permission denied)
write(2, "tcpdump: ", 9) = -1 EACCES (Permission denied)
write(2, “Unable to write output: Permissi”…, 41) = -1 EACCES (Permission denied)
write(2, “\n”, 1) = -1 EACCES (Permission denied)
exit_group(1) = ?
+++ exited with 1 +++
root@graylog3:~#

I know i could use the host interface to tcdump the vethxxxx interface, but i need to see what veth is related to each container, also I don’t want to give root access to the host to the local container admin.

Tested on 3.18 and 3.19

Any idea ?

tcpdump sometimes conflicts with apparmor and tty allocation inside containers.
You could try running script /dev/null -c "tcpdump -i eth0" which will cause the creation of a new pseudo tty inside the container, usually taking care of the issue.

Usually tshark has escaped the apparmor ‘fixes’ and works just as well as tcpdump.

Just try with script :frowning:

root 1383 997 0 19:48 pts/0 00:00:00 script /dev/null -c tcpdump -i eth0
root 1384 1383 0 19:48 ? 00:00:00 [tcpdump] < defunct >

But wait ! tshark work like a charm !

root@graylog3:~# tshark -i eth0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
    1 0.000000000 192.168.1.206 → 192.168.1.255 UDP 63 37327 → 32412 Len=21
    2 0.121170700 192.168.1.171 → 192.168.1.255 UDP 77 46163 → 15600 Len=35
    3 0.208232217 SamsungE_b7:11:ed → Broadcast    ARP 60 Who has 192.168.1.1? Tell 192.168.1.171
    4 0.213570973 192.168.1.206 → 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1 
    5 0.257489540 Sonos_49:bc:42 → Broadcast    0x6970 74 Ethernet II
    6 0.431601613 192.168.1.166 → 192.168.1.155 HTTP 1213 POST /api/cluster/metrics/multiple HTTP/1.1  (application/json)
    7 0.438601800 192.168.1.155 → 192.168.1.166 HTTP 935 HTTP/1.1 200 OK  (application/json)
    8 0.438802880 192.168.1.166 → 192.168.1.155 TCP 66 32786 → 9000 [ACK] Seq=1148 Ack=870 Win=443 Len=0 TSval=1637119592 TSecr=2953593125
    9 0.566144601 192.168.1.155 → 192.168.1.166 SSH 182 Server: Encrypted packet (len=116)
   10 0.566184422 192.168.1.155 → 192.168.1.166 SSH 286 Server: Encrypted packet (len=220)
   11 0.566254307 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=117 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
   12 0.566259099 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=337 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
   13 0.566272634 192.168.1.155 → 192.168.1.166 SSH 190 Server: Encrypted packet (len=124)
   14 0.566390780 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=461 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
   15 0.566406679 192.168.1.155 → 192.168.1.166 SSH 174 Server: Encrypted packet (len=108)
   16 0.566494029 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=569 Win=443 Len=0 TSval=1637119720 TSecr=2953593253
   17 0.792323814 192.168.1.166 → 192.168.1.155 HTTP 636 GET /api/system/notifications HTTP/1.1 
   18 0.794764595 192.168.1.155 → 192.168.1.166 HTTP 316 HTTP/1.1 200 OK  (application/json)
   19 0.794887088 192.168.1.166 → 192.168.1.155 TCP 66 32786 → 9000 [ACK] Seq=1718 Ack=1120 Win=443 Len=0 TSval=1637119948 TSecr=2953593481
   20 0.984132664 Cisco_ef:4f:5f → Spanning-tree-(for-bridges)_00 STP 60 RST. Root = 32768/0/00:08:9b:f3:1e:18  Cost = 20000  Port = 0x83ea
   21 1.078128286 192.168.1.155 → 192.168.1.166 SSH 230 Server: Encrypted packet (len=164)
   22 1.078315182 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=733 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
   23 1.078719801 192.168.1.155 → 192.168.1.166 SSH 342 Server: Encrypted packet (len=276)
   24 1.078780538 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   25 1.078831467 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1009 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
   26 1.078854423 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   27 1.078876935 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1141 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
   28 1.078942410 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   29 1.078978392 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1273 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
   30 1.078987241 192.168.1.155 → 192.168.1.166 SSH 478 Server: Encrypted packet (len=412)
   31 1.079040417 192.168.1.155 → 192.168.1.166 SSH 334 Server: Encrypted packet (len=268)
   32 1.079074543 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1453 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
   33 1.079077111 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=1865 Win=443 Len=0 TSval=1637120232 TSecr=2953593765
   34 1.079124354 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2133 Win=443 Len=0 TSval=1637120232 TSecr=2953593766
   35 1.079155073 192.168.1.155 → 192.168.1.166 SSH 206 Server: Encrypted packet (len=140)
   36 1.079225038 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2273 Win=443 Len=0 TSval=1637120233 TSecr=2953593766
   37 1.079234793 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   38 1.079285986 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   39 1.079323497 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2405 Win=443 Len=0 TSval=1637120233 TSecr=2953593766
   40 1.079372508 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2585 Win=443 Len=0 TSval=1637120233 TSecr=2953593766
   41 1.168693511 192.168.1.171 → 224.0.0.7    UDP 217 8001 → 8001 Len=175
^C   42 1.425077668 192.168.1.165 → 192.168.1.255 UDP 63 51454 → 32412 Len=21
   43 1.594022919 192.168.1.155 → 192.168.1.166 SSH 342 Server: Encrypted packet (len=276)
   44 1.594086929 192.168.1.155 → 192.168.1.166 SSH 378 Server: Encrypted packet (len=312)
   45 1.594157412 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=2861 Win=443 Len=0 TSval=1637120747 TSecr=2953594281
   46 1.594169344 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   47 1.594162714 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3173 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   48 1.594214540 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   49 1.594254631 192.168.1.155 → 192.168.1.166 SSH 378 Server: Encrypted packet (len=312)
   50 1.594251811 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3305 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   51 1.594299129 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3485 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   52 1.594315606 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   53 1.594349468 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3797 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   54 1.594353725 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   55 1.594398893 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=3929 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   56 1.594448414 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4109 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   57 1.594456244 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   58 1.594499802 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   59 1.594507215 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   60 1.594548471 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4241 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   61 1.594557873 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   62 1.594598234 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4553 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   63 1.594631033 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   64 1.594681184 192.168.1.155 → 192.168.1.166 SSH 378 Server: Encrypted packet (len=312)
   65 1.594700370 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4733 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   66 1.594731972 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   67 1.594748456 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=4913 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   68 1.594765296 192.168.1.155 → 192.168.1.166 SSH 198 Server: Encrypted packet (len=132)
   69 1.594796617 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   70 1.594797312 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5225 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   71 1.594848220 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5357 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   72 1.594866375 192.168.1.155 → 192.168.1.166 SSH 246 Server: Encrypted packet (len=180)
   73 1.594897116 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5669 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   74 1.594948517 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5849 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
   75 1.594968616 192.168.1.155 → 192.168.1.166 SSH 182 Server: Encrypted packet (len=116)
   76 1.595046529 192.168.1.166 → 192.168.1.155 TCP 66 36642 → 22 [ACK] Seq=1 Ack=5965 Win=443 Len=0 TSval=1637120748 TSecr=2953594281
76 packets captured