oriolrius.cat

Des del 2000 compartiendo sobre…

Tag: monitor

Sniffing Network Traffic in Docker Containers: Leveraging Host’s tcpdump, tcpflow, and more

Reading time: 2 – 3 minutes

In a Dockerized environment, one often encounters the need to monitor network traffic. However, one might not always wish to install sniffing tools within the container itself. By diving into the network namespace of the container, one can employ the host’s network packages such as tcpdump, tcpflow, and others, to achieve this without augmenting the container’s environment.

Step 1: Dive into the Container’s Network Namespace

Fetch the SandboxKey, which denotes the container’s network namespace:

SANDBOX_KEY=$(docker inspect <CONTAINER_ID> --format '{{ .NetworkSettings.SandboxKey }}')

Enter the container’s network namespace:

sudo nsenter --net=$SANDBOX_KEY

Step 2: Sniff Network Traffic Using Host’s Tools

Having entered the namespace, you can now utilize the host’s packages.

Using tcpdump:

tcpdump -i <INTERFACE_NAME> -w <OUTPUT_FILE.pcap>

Replace <INTERFACE_NAME> as per requirement (typically eth0 for Docker containers). For tcpdump, <OUTPUT_FILE.pcap> is the desired capture file. For tcpflow, <OUTPUT_DIRECTORY> is where the captured streams will be saved.

Conclusion

By navigating into a Docker container’s network namespace, you can readily use the network tools installed on the host system. This strategy circumvents the need to pollute the container with additional packages, upholding the principle of container immutability.

FileMON – monitor d’accessós al sistema de fitxers de win

Reading time: 2 – 2 minutes

FileMON:Aquesta petita eina de la gent de sysinternals ens permet monitoritzar en temps reals quins fitxers estan sent usats pel windows. Això és el problema de treballar amb sistemes tan opacs com el windows que necessites eines com el FileMON que et monitoritzin quins fitxers estan sent usats sinó no saps què carai esta fallant o en que esta enganxat el sistema en cada moment.

En la introducció del propi producte crec que es fa una bona descripció de quines funcions té l’eina:

FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon’s timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you’ll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you’re getting information overload, simply set up one or more filters.

També ens ajuda a fer-nos una idea de l’aspecte de la pantalla el següent screenshot:

filemon.gif