Capturing packets directly from containers

How to use Wireshark with remote containers.

One of the most important debugging tool available to network engineers and even application engineers is the ability to see network traffic. All sort of issues can be troubleshooted when the ability to peek at the packets is available. To name a few possibilities, you can:

• Assess the network AND application performance.
• Fingerpoint connectivity issues.
• Understand data transactions.
• Analyse trends.
• Debug authentication.
• Etc.

Despite its extreme usefulness, capturing data is too often a difficult task and not always easily available. This howto article will demonstrate that real-time capture of network traffic can be made easily. We will set up a direct workload to Wireshark capturing session using the noah remote access methodology.

This guide focus on the specific of the remote capture and presumes that other supporting elements are already in place. In particular, you need:

• An accessible Access Geteway; see this guide on setting one up in a virtual machine.
• A working noah agent, either directly using the NearEDGE noah image or inside your custom image. This step-by-step guide covers both deployment model.
• An ssh daemon reachable from the noah agent. The agent may be in an associated / side-car container while the ssh daemon resides in the main container. It is also possible to include everything in 1 custom image if it is your choice. This guide provides the instructions to setup an ssh daemon in your image.

Adding the TCPDUMP binary

The noah image already includes the tcpdump binary so if you are using the image as a side-car or an associated container, then nothing else needs to be done. The path to the binary is the expected /usr/bin/tcpdump.

On the other hand, if you put noah in your custom image and tcpdump is not already provided in the image, just follow this guide, with the additional COPY command to bring in the tcpdump binary. Use

COPY --from=noah /usr/bin/tcpdump /usr/bin/tcpdump

Using the standard path alleviates the need to specify a fullpath in Wireshark.

Using TCPDUMP over SSH

There is no need to start tcpdump manually as it will be started automatically by the SSH command given by Wireshark. Assuming that the SSHD daemon is running and the needed credential(s) are provided (see), then all you need is use the sshdump support from within Wireshark.

For this. you use the dialog in the GUI. If you want to learn more about sshdump see this man page.

To start, click on the SSHDump cog wheel

Next, set the server address using the FQDN corresponding to the remote noah agent.

Now, adjust the remote username. See this guide for more info.

The last step is to adjust the interface (typically it is eth0 but can be different). Do not forget to adjust the capture filter. You will more than likely want to filter out the noah traffic. One way of doing this is to create a negative filter that corresponds to the URL set for the Access Gateway, see this guide. Alternatively, you can simply use a filter that matches the service of the container.

Depending on your setup, you may need to select sudo. Since the traffic already reaches the container, you activate the No promiscuous mode.

You are now ready, just click on Start. Send some traffic to your service and watch it in Wireshark!