Created
May 2, 2022 23:55
-
-
Save LucienBrule/e0e84cae3f4c1519b00e67af57499de2 to your computer and use it in GitHub Desktop.
tap.sh | sniff your container network traffic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# | |
# ██▓ █ ██ ▄████▄ ▄████▄ | |
# ▓██▒ ██ ▓██▒▒██▀ ▀█ ▒██▀ ▀█ | |
# ▒██░ ▓██ ▒██░▒▓█ ▄ ▒▓█ ▄ | |
# ▒██░ ▓▓█ ░██░▒▓▓▄ ▄██▒▒▓▓▄ ▄██▒ | |
# ░██████▒▒▒█████▓ ▒ ▓███▀ ░▒ ▓███▀ ░ | |
# ░ ▒░▓ ░░▒▓▒ ▒ ▒ ░ ░▒ ▒ ░░ ░▒ ▒ ░ | |
# ░ ░ ▒ ░░░▒░ ░ ░ ░ ▒ ░ ▒ | |
# ░ ░ ░░░ ░ ░ ░ ░ | |
# ░ ░ ░ ░ ░ ░ ░ | |
# ░ ░ | |
# a script for fun and profit, By _lucc | |
# | |
# Author: Lucien Brule <lucien@lucienbrule.com> | |
# Copyright: MIT | |
# | |
# tap.sh - tap into the networking stack of a running container | |
# and open a network capture. | |
# | |
# Usage: | |
# tap.sh <container_name> <engine> | |
# | |
# Example: | |
# tap.sh my-container wireshark | |
# | |
# This will open wireshark on the container's network interface. | |
# | |
# Configuration, if you use podman, replace it here. | |
export CONTAINER_CMD="docker" | |
echo "tap.sh: starting" | |
# if no container runtime is found then exit | |
if [ -z "$CONTAINER_CMD" ]; then | |
echo "tap.sh: no container runtime found" | |
exit 1 | |
fi | |
export CONTAINER_NAME | |
CONTAINER_NAME=$1 | |
if [ -z "$CONTAINER_NAME" ]; then | |
echo "Usage: $0 <CONTAINER_NAME>" | |
echo "Description: Taps a container and opens wireshark" | |
echo "Example: tap.sh ra-router : intercepts all traffic to the router" | |
exit 1 | |
fi | |
export CONTAINER_ID | |
CONTAINER_ID=$($CONTAINER_CMD ps -a | grep "$CONTAINER_NAME" | awk '{print $1}') | |
printf "CONTAINER_ID=%s\n" "$CONTAINER_ID" | |
if [ -z "$CONTAINER_ID" ]; then | |
printf "%s\n" "Container $CONTAINER_NAME not found\n" | |
exit 1 | |
fi | |
# get the interface id of the bridge from the container | |
export CONTAINER_INTERFACE_ID | |
CONTAINER_INTERFACE_ID=$($CONTAINER_CMD exec "$CONTAINER_ID" cat /sys/class/net/eth0/iflink) | |
CONTAINER_INTERFACE_ID=$(echo "$CONTAINER_INTERFACE_ID" | tr -d '\r\n') | |
printf "CONTAINER_INTERFACE_ID=%s\n" "$CONTAINER_INTERFACE_ID" | |
if [ -z "$CONTAINER_INTERFACE_ID" ]; then | |
printf "Error: Could not find the container's interface id\n" | |
exit 1 | |
fi | |
# get the interface name | |
export CONTAINER_INTERFACE_NAME | |
CONTAINER_INTERFACE_NAME=$(ip link show | grep "$CONTAINER_INTERFACE_ID" | head -n 1 | cut -d " " -f 2 | cut -d ":" -f 1 | cut -d "@" -f 1) | |
printf 'CONTAINER_INTERFACE_NAME=%s\n' "$CONTAINER_INTERFACE_NAME" | |
if [ -z "$CONTAINER_INTERFACE_NAME" ]; then | |
printf "Error: Could not find the container's interface name\n" | |
exit 1 | |
fi | |
printf "Container %s is connected to %s\n" "$CONTAINER_NAME" "$CONTAINER_INTERFACE_NAME" | |
### | |
# Consume second parameter | |
# | |
export CAPTURE_ENGINE | |
CAPTURE_ENGINE=$2 | |
if [ -z "$CAPTURE_ENGINE" ]; then | |
exit 0 | |
fi | |
CAPTURE_ENGINE=$(echo "$CAPTURE_ENGINE" | tr -d '\r\n') | |
if [ "$CAPTURE_ENGINE" == 'wireshark' ]; then | |
printf "Starting wireshark on %s\n" "$CONTAINER_INTERFACE_NAME" | |
wireshark -k -i "$CONTAINER_INTERFACE_NAME" | |
elif [ "$CAPTURE_ENGINE" == 'tshark' ]; then | |
printf "Starting tshark on %s\n" "$CONTAINER_INTERFACE_NAME" | |
tshark -i "$CONTAINER_INTERFACE_NAME" | |
elif [ "$CAPTURE_ENGINE" == 'tcpdump' ]; then | |
printf "Starting tcpdump on %s\n" "$CONTAINER_INTERFACE_NAME" | |
tcpdump -i "$CONTAINER_INTERFACE_NAME" | |
else | |
printf "Unknown capture engine: %s\n" "$CAPTURE_ENGINE" | |
exit 1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment