Accessing the Docker Linux Virtual Machine
Docker runs on linux natively, but Docker Desktop works on a Mac by creating a virtual machine, installing Linux, and then running on top of that.
So, to do some things, like intercepting network traffic, you need to be in that virtual machine. Here's how:
This command gets you inside the docker desktop linux VM, the one that docker is actually installed in:
docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Now you have access to the docker network and can examine networking capture stuff.
ls -ltra /var/lib/docker/volumes/
<<< see all the volumes (same as w/Docker Desktop, though).
However, you can also just connect to the network of a container (using the container name as a connection point) and run it like this:
docker run -it -v ./:/data --net container:pdga-php nicolaka/netshoot tcpdump -s 0 -w /data/capture.pcap
<< YO!!
Then on the host do open capture.pcap
to open in Wireshark.
In wireshark, you can filter: mysql and _ws.col.info ~ "Query"
and mysql and _ws.col.info ~ "TABULAR"
, etc. Pretty fire.
THIS saved the output, but it's not in pcap format, it's just asciiā¦
docker run -it --rm --net container:pdga-php nicolaka/netshoot tcpdump -s 0|tee ~/foo.pcap
You can open in wireshark but also do this from the command line (tshark FTW!!):
tshark -r capture.pcap --display-filter 'ip.src == 172.18.0.6 and _ws.col.info ~ "TABULAR"'
So, that way, you could save a script to capture data, then filter it with tshark
. Yeah, baby!
See also: