oriolrius.cat

Des del 2000 compartiendo sobre…

Tag: tcpflow

Sniffing Network Traffic in Docker Containers: Leveraging Host’s tcpdump, tcpflow, and more

Reading time: 2 – 3 minutes

In a Dockerized environment, one often encounters the need to monitor network traffic. However, one might not always wish to install sniffing tools within the container itself. By diving into the network namespace of the container, one can employ the host’s network packages such as tcpdump, tcpflow, and others, to achieve this without augmenting the container’s environment.

Step 1: Dive into the Container’s Network Namespace

Fetch the SandboxKey, which denotes the container’s network namespace:

SANDBOX_KEY=$(docker inspect <CONTAINER_ID> --format '{{ .NetworkSettings.SandboxKey }}')

Enter the container’s network namespace:

sudo nsenter --net=$SANDBOX_KEY

Step 2: Sniff Network Traffic Using Host’s Tools

Having entered the namespace, you can now utilize the host’s packages.

Using tcpdump:

tcpdump -i <INTERFACE_NAME> -w <OUTPUT_FILE.pcap>

Replace <INTERFACE_NAME> as per requirement (typically eth0 for Docker containers). For tcpdump, <OUTPUT_FILE.pcap> is the desired capture file. For tcpflow, <OUTPUT_DIRECTORY> is where the captured streams will be saved.

Conclusion

By navigating into a Docker container’s network namespace, you can readily use the network tools installed on the host system. This strategy circumvents the need to pollute the container with additional packages, upholding the principle of container immutability.

sslsnoop – hacking OpenSSH

Reading time: < 1 minute Using sslsnoop you can dump SSH keys used in a session and decode ciphered traffic. Supported algorithms are: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc. Basic sslsnoop information:

 $ sudo sslsnoop # try ssh, sshd and ssh-agent… for various things
 $ sudo sslsnoop-openssh live `pgrep ssh` # dumps SSH decrypted traffic in outputs/
 $ sudo sslsnoop-openssh offline –help # dumps SSH decrypted traffic in outputs/ from a pcap file
 $ sudo sslsnoop-openssl `pgrep ssh-agent` # dumps RSA and DSA keys

Take a look into the project in sslsnoop github page.