Accessing the Docker Linux Virtual Machine

January 12, 2025 full-stack docker

Docker runs on linux natively, but Docker Desktop works on a Mac by creating a virtual machine, installing Linux, and then running on top of that.

So, to do some things, like intercepting network traffic, you need to be in that virtual machine. Here's how:

This command gets you inside the docker desktop linux VM, the one that docker is actually installed in:

docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh

Now you have access to the docker network and can examine networking capture stuff.

ls -ltra /var/lib/docker/volumes/ <<< see all the volumes (same as w/Docker Desktop, though).

However, you can also just connect to the network of a container (using the container name as a connection point) and run it like this:

docker run -it -v ./:/data --net container:pdga-php nicolaka/netshoot tcpdump -s 0 -w /data/capture.pcap << YO!!

Then on the host do open capture.pcap to open in Wireshark.

In wireshark, you can filter: mysql and _ws.col.info ~ "Query" and mysql and _ws.col.info ~ "TABULAR", etc. Pretty fire.

THIS saved the output, but it's not in pcap format, it's just asciiā€¦

docker run -it --rm --net container:pdga-php nicolaka/netshoot tcpdump -s 0|tee ~/foo.pcap

You can open in wireshark but also do this from the command line (tshark FTW!!):

tshark -r capture.pcap --display-filter 'ip.src == 172.18.0.6 and _ws.col.info ~ "TABULAR"'

So, that way, you could save a script to capture data, then filter it with tshark. Yeah, baby!

See also: