8

compose a 3 services architecture and a virtual bridged network on which the three services are attached. I want one of the container to be able to listen to all the traffic within the virtual network (promiscuous mode). Is it possible? I've tried almost everything but nothing seems to be working.

What I've tried:

  • Giving full privileges to the container
  • Setting the container eth0 interface to promiscuous (ifconfig eth0 promisc)
  • restart the network manager inside the container
  • setting the veth relative to container in promiscuous mode from the host machine
  • modify the mode from "bridge" to "passthru" in the macvlan configuration from the pipework script
  • setting the container as gateway in the network properties of the docker-compose file

many of the above attempts results in the container's eth0 interface to "think" it is in promiscuous mode, in fact both ifconfig and syslog (from the host) say it is, but the container still sees only its own traffic.

I'm using Docker 1.11 and the base image inside the container is Ubuntu 14.04:latest

Below is listed my docker-compose file Thanks in advance

docker-compose.yml

version: '2'

networks:

  snort_net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/24
          gateway: 172.19.0.3

services:

   mysql:
     build:
       context: .
       dockerfile: MySql/MySqlFile
     environment:
       - MYSQL_ALLOW_EMPTY_PASSWORD=yes
     networks:
       snort_net:
         ipv4_address: 172.19.0.2

   snort:
     build:
       context: .
       dockerfile: Snort/SnortFile
     depends_on:
       - snorby
     env_file:
       - Snort/snort_variables.env
     networks:
       snort_net:
         ipv4_address: 172.19.0.3
     expose:
       - "80"
       - "21"
     ports:
       - "10100:80"
       - "10101:80/udp"
       - "21:21"
     cap_add:
       - NET_ADMIN
     privileged: true


   snorby:
     build:
       context: .
       dockerfile: Snorby/SnorbyFile
     depends_on:
       - mysql
     env_file:
       - Snorby/snorby_variables.env
     networks:
       snort_net:
         ipv4_address: 172.19.0.4
     ports:
       - "3000:3000"
tgogos
  • 23,218
  • 20
  • 96
  • 128
Aenon
  • 346
  • 1
  • 3
  • 7

2 Answers2

1

i am able to get it working with below command while creating container as i decided to switch off to listen for all traffic

administrator@gitlabrunner-prod01:~$ docker run --rm --privileged -t -d -p 23:22 --name ubuntu ubuntu
Mansur Ul Hasan
  • 2,898
  • 27
  • 24
0

A container is effectively attached to a virtual switch; it's never going to see anything other than (a) unicast traffic to the container or (b) broadcast/multicast traffic on the docker network. If you have it set up as a network gateway, it would also see any traffic being sent from other containers to destinations outside the network (but would still not see communication between other containers on the same network).

If you were using Linux bridges rather than macvlan, you should be able to attach tcpdump to the docker bridge and get what you want (either by running it on the host, or by running it inside a container with --net=host).

larsks
  • 277,717
  • 41
  • 399
  • 399