1

I’m trying to wrap my head around some basic networking concepts using docker and wireshark to capture and analyze packets. I’m quite new to this so please let me know if I need to clarify anything, or if I’m just going about this the wrong way entirely.

I’ve done some tests. I have done these tests using my regular command line (windows 10), and a command line for an ubuntu docker container. I thought the easiest thing to do was just ping from either and see how it shows up on Wireshark. Here’s how I’ll be referring to some of the relevant IP addresses:

  • The IPv4 address I get when I call “ipconfig/all” on my window cli: windows IPV4
  • the “Temporary IPv6 Address” I get when I call the same: windows temporary IPv6
  • The address I get when I call “ip a” on the ubuntu terminal: ubuntu IP

Here are the tests I run, and the results, analyzing all interfaces in wireshark, promiscuous mode turned off:

  • ping a website from the windows cli, the protocol shows as ICMPv6, and the source IP in wireshark shows up as the windows temporary IPv6.
  • ping a website from the ubuntu docker container cli, the protocol shows as ICMP, and the source IP wireshark shows is the windows IPV4

I never see the ubuntu IP show up anywhere during these tests. In fact when I check the ip addresses associated with each interface on wireshark, I don’t see it there either.

Why can’t I see the ip address of the docker container on wireshark? Shouldn’t it have its own interface?

Here is my end goal, to provide some context: I would like to run a voip program and track all the data that’s going in and out of it to have a better understanding of how that works and how to protect my privacy. Based on some research, the best way to do that would be to isolate that program in a docker container and track all of the traffic going in and out of that docker container through wireshark. I’m new to voip, docker, wireshark, and networking in general, so figuring this all out has been hard.

Another concern I had was that I couldn’t find anything when filtering for the specific website that I pinged within the packets in wireshark, just the ip addresses. This concerns me because the whole point of this is to be able to analyze all data going in and out of a program. Is any of the information from the ping being left out of the packets? Or is that info just being encrypted?

Improve this question

1 Answer 1

Reset to default
1

Siemens has open source'd its previously company-internal Edgeshark tool under the MIT license. Edgeshark consists of one (actually two) services that are deployed on a Docker (Linux) host, as well as a Wireshark extcap plugin. Edgeshark has a web ui that displays the virtual networks inside container hosts and additionally allows to kick off Wireshark live capture sessions.

There's no need to modify any container beforehand. Just deploy

wget -q --no-cache -O - \
  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \
  | docker compose -f - up

and additionally install the Edgeshark extcap plugin for Linux and Windows.

There's an online manual as well as included online help for how to deploy and understand the things you'll see.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .