A handy basic image comprising of;
- Alpine Linux v3.4. A security-oriented, lightweight Linux distribution based on musl libc and BusyBox.
- tcpdump v4.7.4. A powerful command-line network packet analyzer.
I'd expect you use this image as a simple packet capture tool. It can be used to display packets to STDOUT or you can mount a volume and write to file.
If you'd like more information on using tcpdump, see my articles here;
Use this command to pull the image manually before runtime:
sudo docker pull itsthenetwork/alpine-tcpdump:latest
This command will start the container interactively, using host networking mode (necessary if you want to capture data to or from the host) and display ICMP traffic seen on any host interface. The container will be automatically removed when you stop the capture using [Ctrl]+C.
sudo docker run -it --privileged --net=host --name=tcpdump --rm itsthenetwork/alpine-tcpdump -i any -vvnn icmp
If you want to write to a file instead, this will work (mounting the host's /var/tmp/ directory to /capture/ within the container):
sudo docker run -it --privileged=true --net=host --name=tcpdump -v /var/tmp:/capture --rm itsthenetwork/alpine-tcpdump -i any -vvnn -w /capture/file_name.pcap icmp
If you expect to use this image often, perhaps use an alias at the CLI or in your ~/.bashrc file:
alias tcpdump="sudo docker run -it --privileged=true --net=host --name=tcpdump --rm itsthenetwork/alpine-tcpdump"
Whilst this would run in the default bridged networking mode, it would be rather pointless as it's unlikely any packets would ever arrive at the container. Thus, host most networking is recommended.
If you wanted to install additional packages and build your own image based upon this one you'd start your Dockerfile like this:
FROM itsthenetwork/alpine-tcpdump:latest RUN apk -add U -v package_name package_name ...