Ask Your Question
0

Wireshark is not showing interfaces in Ubuntu container without privileged mode

asked 2021-01-28 12:47:39 +0000

Rushikesh Acharya gravatar image

updated 2021-01-28 12:49:36 +0000

I've installed wireshark and xrdp in Ubuntu 18.04 Container. After starting the container with the --privileged mode and taking RDP connection, I can see the wireshark running with having access to all the interfaces but, when I don't specify the --privileged mode while running the container, then wireshark does not show any interfaces. So how do I configure the container so that,

  1. I should be able to run container without privileged mode and still should be able to see the interfaces
  2. Wireshark should not have access to all the interfaces of the host machine. It should have limited or customized access in which we should be able to mention to which interfaces it should have access to.
edit retag flag offensive close merge delete

Comments

Where did you get the docker image from? Was that just a bare Ubuntu 18.04 image (which one?), where you added Wireshark and XRDP yourself, or was it all pre-installed?

Jaap gravatar imageJaap ( 2021-01-28 15:08:40 +0000 )edit

I have pulled the image from the Ubuntu official repository from docker hub. After that I've installed the Wireshark and XRDP manually and after taking the rdp I can see all the interfaces only if I start the container in privileged mode.

Rushikesh Acharya gravatar imageRushikesh Acharya ( 2021-01-29 04:09:23 +0000 )edit

Did you create specific users in the container to access Wireshark via RDP with?

Jaap gravatar imageJaap ( 2021-01-29 07:30:24 +0000 )edit

I've not created separate user. Ubuntu container has only one user i.e root and I'm using the same for RDP login.

Rushikesh Acharya gravatar imageRushikesh Acharya ( 2021-01-29 08:38:40 +0000 )edit

Which interface are you wanting to capture from in the container? Probably the one where the RDP session is running over as well?

Jaap gravatar imageJaap ( 2021-01-29 12:10:12 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-01-29 20:55:39 +0000

Jaap gravatar image

I think the closed you can get to that is using the macvlan driver. Other than that this is really question on docker, not so much on Wireshark.

edit flag offensive delete link more

Comments

Some experimenting shows that even though the macvlan driver gives access to the physical interface, it's still separated from the other traffic in this interface. So in essence it's still isolated from the other MACs on that physical interface.

Running a container with a host driver network interface indeed gives access to all host interfaces to capture on. Still there are some quirks; tshark -D doesn't list the interfaces even though you can capture from them. Having capabilities set on dumpcap stops it from working. And even without capabilities set, when run, dumpcap still produces errors about capabilities. This probably doesn't jive well with containers.

Jaap gravatar imageJaap ( 2021-02-05 16:30:43 +0000 )edit
0

answered 2023-06-22 20:45:24 +0000

thediveo gravatar image

ad 1. You'll need to deploy your container with additional capabilities. Unfortunately, the question doesn't specify any deployment details albeit that would have been crucial. A good bet would be to add CAP_NET_ADMIN and CAP_NET_RAW. However, since the Q also doesn't mention --net=host all you will see is your own eth0 behind a virtual bridge. As others pointed out, MACVLAN isn't a viable solution in this case, as it is a filtered secondary vNIC.

ad 2. not possible without heavy interference with the system and playing tricks with syscalls.

Maybe the following could be an option for you: Siemens has open source'd Edgeshark that consists of a service container and a Wireshark extcap plugin. This allows to capture from the host (well, be careful as you capture your own captures) as well as from containers. It isn't Wireshark in a container but instead you connect from your Desktop Wireshark to the service deployed on your linux host.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-01-28 12:47:39 +0000

Seen: 1,601 times

Last updated: Jun 22 '23