tap.sh | sniff your container network traffic

tap.sh

#!/bin/bash

#
#
# ██▓     █    ██  ▄████▄   ▄████▄
# ▓██▒     ██  ▓██▒▒██▀ ▀█  ▒██▀ ▀█
# ▒██░    ▓██  ▒██░▒▓█    ▄ ▒▓█    ▄
# ▒██░    ▓▓█  ░██░▒▓▓▄ ▄██▒▒▓▓▄ ▄██▒
# ░██████▒▒▒█████▓ ▒ ▓███▀ ░▒ ▓███▀ ░
# ░ ▒░▓  ░░▒▓▒ ▒ ▒ ░ ░▒ ▒  ░░ ░▒ ▒  ░
# ░ ░ ▒  ░░░▒░ ░ ░   ░  ▒     ░  ▒
#   ░ ░    ░░░ ░ ░ ░        ░
#       ░  ░   ░     ░ ░      ░ ░
#                        ░        ░
#  a script for fun and profit, By _lucc
#
#  Author: Lucien Brule <lucien@lucienbrule.com>
#  Copyright: MIT
#
# tap.sh -  tap into the networking stack of a running container
#           and open a network capture.
#
# Usage:
#     tap.sh <container_name> <engine>
#
# Example:
#     tap.sh my-container wireshark
#
#     This will open wireshark on the container's network interface.
#

# Configuration, if you use podman, replace it here.
export CONTAINER_CMD="docker"

echo "tap.sh: starting"



# if no container runtime is found then exit
if [ -z "$CONTAINER_CMD" ]; then
    echo "tap.sh: no container runtime found"
    exit 1
fi

export CONTAINER_NAME
CONTAINER_NAME=$1

if [ -z "$CONTAINER_NAME" ]; then
  echo "Usage: $0 <CONTAINER_NAME>"
  echo "Description: Taps a container and opens wireshark"
  echo "Example: tap.sh ra-router : intercepts all traffic to the router"
  exit 1
fi

export CONTAINER_ID
CONTAINER_ID=$($CONTAINER_CMD ps -a | grep "$CONTAINER_NAME" | awk '{print $1}')
printf "CONTAINER_ID=%s\n" "$CONTAINER_ID"

if [ -z "$CONTAINER_ID" ]; then
  printf "%s\n" "Container $CONTAINER_NAME not found\n"
  exit 1
fi

# get the interface id of the bridge from the container
export CONTAINER_INTERFACE_ID
CONTAINER_INTERFACE_ID=$($CONTAINER_CMD exec  "$CONTAINER_ID" cat /sys/class/net/eth0/iflink)
CONTAINER_INTERFACE_ID=$(echo "$CONTAINER_INTERFACE_ID" | tr -d '\r\n')
printf "CONTAINER_INTERFACE_ID=%s\n" "$CONTAINER_INTERFACE_ID"

if [ -z "$CONTAINER_INTERFACE_ID" ]; then
  printf "Error: Could not find the container's interface id\n"
  exit 1
fi

# get the interface name
export CONTAINER_INTERFACE_NAME
CONTAINER_INTERFACE_NAME=$(ip link show | grep "$CONTAINER_INTERFACE_ID" | head -n 1 | cut -d " " -f 2 | cut -d ":" -f 1 | cut -d "@" -f 1)
printf 'CONTAINER_INTERFACE_NAME=%s\n' "$CONTAINER_INTERFACE_NAME"

if [ -z "$CONTAINER_INTERFACE_NAME" ]; then
  printf "Error: Could not find the container's interface name\n"
  exit 1
fi

printf "Container %s is connected to %s\n" "$CONTAINER_NAME" "$CONTAINER_INTERFACE_NAME"

###

# Consume second parameter
#

export CAPTURE_ENGINE
CAPTURE_ENGINE=$2

if [ -z "$CAPTURE_ENGINE" ]; then
  exit 0
fi

CAPTURE_ENGINE=$(echo "$CAPTURE_ENGINE" | tr -d '\r\n')

if [ "$CAPTURE_ENGINE" == 'wireshark' ]; then
  printf "Starting wireshark on %s\n" "$CONTAINER_INTERFACE_NAME"
  wireshark -k -i "$CONTAINER_INTERFACE_NAME"
elif [ "$CAPTURE_ENGINE" == 'tshark' ]; then
  printf "Starting tshark on %s\n" "$CONTAINER_INTERFACE_NAME"
  tshark -i "$CONTAINER_INTERFACE_NAME"
elif [ "$CAPTURE_ENGINE" == 'tcpdump' ]; then
  printf "Starting tcpdump on %s\n" "$CONTAINER_INTERFACE_NAME"
  tcpdump -i "$CONTAINER_INTERFACE_NAME"
else
  printf "Unknown capture engine: %s\n" "$CAPTURE_ENGINE"
  exit 1
fi