Yesterday I was in a situation where I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.
Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:
tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
…but this is 2016 and we have containers!(Not An Actual Docker Container.)
So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.
So now in the future when anyone wants to record all the traffic from a server all they have to do is run
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdumpand the pcaps will save in their home directory.
If you want to build your own copy here is everything I have in the dockerfile:
RUN apt-get update && apt-get install -y \
RUN mkdir /pcap
RUN cd /pcap
CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run
docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apacheand all files captured will be displayed at http://hostip:1337.