Tcpdump Docker Image
This is a simple docker image that runs tcpdump on an Ubuntu image and writes the tcpdump output file to the volume /data. Note in this configuration the system will keep at max 10x 1GB files and overwrite the oldest one.
Building the Image
Build the docker image with the following command:
$ docker build -t schwartz1375/docker-tcpdump:latest -f ./Dockerfile .
To capture data on the hosts network interfaces, you need to run the container by using the host networking mode. Note that there --net=host doesn't work as expected on Mac OS X (see the Docker Forum):
$ docker run --net=host schwartz1375/docker-tcpdump
To specify filters or interface, you can use this image as you would use tcpdump, but this will override default parameters:
$ docker run --net=host schwartz1375/docker-tcpdump -i eth2 port 80
If you want log the data (PCAP's) to the host, we use the docker -v command to mount the volume:
$ docker run --net=host -v $PWD:/data schwartz1375/docker-tcpdump -i any -w /data/dump.pcap "tcp"