记录一种在不进入容器的情况下对容器进行抓包的方法。
方法介绍
简单来说就是找到容器所用的网卡,然后在 host 机器上对该网卡进行抓包就可以了 :joy
操作示例
找到这个容器使用的网卡:
$ PID=$(docker inspect --format {{.State.Pid}} test2)
$ nsenter -n -t $PID ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
18: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
上面的那个 @if19 是关键信息,然后在 host 机器上找到这个 @if19 对应的网卡:
# ip addr
...
19: veth504d7e6@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 9a:e8:ea:58:9d:f1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::98e8:eaff:fe58:9df1/64 scope link
valid_lft forever preferred_lft forever
这个 19: 就是我们要找的 @if19 网卡信息,抓包的时候指定对应的网卡 veth504d7e6 , 现在可以抓包了:
$ tcpdump -i veth504d7e6 port 80 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth504d7e6, link-type EN10MB (Ethernet), capture size 262144 bytes
05:39:43.181244 IP 172.17.0.2.33430 > 39.156.69.79.http: Flags [S], seq 2619505737, win 29200, options [mss 1460,sackOK,TS val 812639981 ecr 0,nop,wscale 7], length 0
E..<Vj@.@..S....'.EO...P."|I......r..-.........
0o..........
05:39:43.270550 IP 39.156.69.79.http > 172.17.0.2.33430: Flags [S.], seq 820750215, ack 2619505738, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E..<Vj@.,..O'.EO.....P..0...."|J.. ..:......................
05:39:43.270608 IP 172.17.0.2.33430 > 39.156.69.79.http: Flags [.], ack 1, win 229, length 0
E..(Vk@.@..f....'.EO...P."|J0...P.......
05:39:43.270686 IP 172.17.0.2.33430 > 39.156.69.79.http: Flags [P.], seq 1:73, ack 1, win 229, length 72: HTTP: GET / HTTP/1.1
E..pVl@.@.......'.EO...P."|J0...P....a..GET / HTTP/1.1
Host: baidu.com
User-Agent: Wget
Connection: close
tcpdump -i 网卡 -w test.cap (-w 保存cap抓包文件)