Wireshark is not showing interfaces in Ubuntu container without privileged mode

asked 2021-01-28 12:47:39 +0000

1 ●1 ●1 ●2

updated 2021-01-28 12:49:36 +0000

I've installed wireshark and xrdp in Ubuntu 18.04 Container. After starting the container with the --privileged mode and taking RDP connection, I can see the wireshark running with having access to all the interfaces but, when I don't specify the --privileged mode while running the container, then wireshark does not show any interfaces. So how do I configure the container so that,

I should be able to run container without privileged mode and still should be able to see the interfaces
Wireshark should not have access to all the interfaces of the host machine. It should have limited or customized access in which we should be able to mention to which interfaces it should have access to.

edit retag flag offensive close merge delete

Comments

Where did you get the docker image from? Was that just a bare Ubuntu 18.04 image (which one?), where you added Wireshark and XRDP yourself, or was it all pre-installed?

Jaap ( 2021-01-28 15:08:40 +0000 )edit

I have pulled the image from the Ubuntu official repository from docker hub. After that I've installed the Wireshark and XRDP manually and after taking the rdp I can see all the interfaces only if I start the container in privileged mode.

Rushikesh Acharya ( 2021-01-29 04:09:23 +0000 )edit

Did you create specific users in the container to access Wireshark via RDP with?

Jaap ( 2021-01-29 07:30:24 +0000 )edit

I've not created separate user. Ubuntu container has only one user i.e root and I'm using the same for RDP login.

Rushikesh Acharya ( 2021-01-29 08:38:40 +0000 )edit

Which interface are you wanting to capture from in the container? Probably the one where the RDP session is running over as well?

Jaap ( 2021-01-29 12:10:12 +0000 )edit

see more comments

2 Answers

Sort by » oldest newest most voted

answered 2023-06-22 20:45:24 +0000

thediveo
28 ●2 ●3 ●7

ad 1. You'll need to deploy your container with additional capabilities. Unfortunately, the question doesn't specify any deployment details albeit that would have been crucial. A good bet would be to add CAP_NET_ADMIN and CAP_NET_RAW. However, since the Q also doesn't mention --net=host all you will see is your own eth0 behind a virtual bridge. As others pointed out, MACVLAN isn't a viable solution in this case, as it is a filtered secondary vNIC.

ad 2. not possible without heavy interference with the system and playing tricks with syscalls.

Maybe the following could be an option for you: Siemens has open source'd Edgeshark that consists of a service container and a Wireshark extcap plugin. This allows to capture from the host (well, be careful as you capture your own captures) as well as from containers. It isn't Wireshark in a container but instead you connect from your Desktop Wireshark to the service deployed on your linux host.

edit flag offensive delete link

add a comment

answered 2021-01-29 20:55:39 +0000

Jaap

13742 ●710 ●115

I think the closed you can get to that is using the macvlan driver. Other than that this is really question on docker, not so much on Wireshark.

edit flag offensive delete link

Comments

Some experimenting shows that even though the macvlan driver gives access to the physical interface, it's still separated from the other traffic in this interface. So in essence it's still isolated from the other MACs on that physical interface.

Running a container with a host driver network interface indeed gives access to all host interfaces to capture on. Still there are some quirks; tshark -D doesn't list the interfaces even though you can capture from them. Having capabilities set on dumpcap stops it from working. And even without capabilities set, when run, dumpcap still produces errors about capabilities. This probably doesn't jive well with containers.

Jaap ( 2021-02-05 16:30:43 +0000 )edit

add a comment