Find out which network interface belongs to docker container

Question

Docker creates these virtual ethernet interfaces veth[UNIQUE ID] listed in ifconfig . How can I find out which interface belongs to a specific docker container?

I want to listen to the tcp traffic.

Answer 1

To locate interface
In my case getting value from container was like (check eth0 to):

$ docker exec -it my-container cat /sys/class/net/eth1/iflink
123

And then:

$ ip ad | grep 123
123: vethd3234u4@if122: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP group default

Check with tcpdump -i vethd3234u4

---

Reference about mysterious iflink from http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-class-net :

150 What:           /sys/class/net/<iface>/iflink
151 Date:           April 2005
152 KernelVersion:  2.6.12
153 Contact:        netdev@vger.kernel.org
154 Description:
155                 Indicates the system-wide interface unique index identifier a
156                 the interface is linked to. Format is decimal. This attribute is
157                 used to resolve interfaces chaining, linking and stacking.
158                 Physical interfaces have the same 'ifindex' and 'iflink' values.

Answer 2

Based on the provided answer (which worked for me), I made this simple bash script:

#!/bin/bash

export containers=$(sudo docker ps --format "{{.ID}}|{{.Names}}")
export interfaces=$(sudo ip ad);
for x in $containers
        do
                export name=$(echo "$x" |cut -d '|' -f 2);
                export id=$(echo "$x"|cut -d '|' -f 1)
                export ifaceNum="$(echo $(sudo docker exec -it "$id" cat /sys/class/net/eth0/iflink) | sed s/[^0-9]*//g):"
                export ifaceStr=$( echo "$interfaces" | grep $ifaceNum | cut -d ':' -f 2 | cut -d '@' -f 1);
                echo -e "$name: $ifaceStr";
done

Answer 3

My answer more like improvement on that important topic because it didn't help to " Find out which network interface belongs to docker container ", but, as author noticed, he " want to listen to the tcp traffic " inside docker container - I'll try to help on that one during your troubleshooting of network.

Considering that veth network devices are about network namespaces, it is useful to know that we can execute program in another namespace via nsenter tool as follow (remember - you need a privileged permission (sudo/root) for doing that):

Get ID of any container you are interested in capture the traffic, for example it will be 78334270b8f8

Then we need to take PID of that containerized application (I assume you are running only 1 network-related process inside container and want to capture its traffic. Otherwise, that approach is hard to be suitable):

sudo docker inspect 78334270b8f8 | grep -i pid

For example, output for pid will be 111380 - that's ID of your containerized app, you can check also it via ps command: ps aux | grep 111380 ps aux | grep 111380 just in curiosity.

Next step is to check what network interfaces you have inside your container:

sudo nsenter -t 111380 -n ifconfig

This command will return you list of network devices in network namespace of the containerized app (you should not have ifconfig tool on board of your container, only on your node/machine)

For example, you need to capture traffic on interface eth2 and filter it to tcp destination port 80 (it may vary of course) with this command:

sudo nsenter -t 111380 -n tcpdump -nni eth2 -w nginx_tcpdump_test.pcap 'tcp dst port 80'

Remember, that in this case you do not need tcpdump tool to be installed inside your container.

Then, after capturing packets, .pcap file will be available on your machine/node and to read it use any tool you prefer tcpdump -r nginx_tcpdump_test.pcap

approach's pros:

• no need to have network tools inside container, only on docker node
• no need to search for map between network devices in container and node

cons:

• you need to have privileged user on node/machine to run nsenter tool

Answer 4

One-liner of the solution from @pbaranski

num=$(docker exec -i my-container cat /sys/class/net/eth0/iflink | tr -d '\r'); ip ad | grep -oE "^${num}: veth[^@]+" | awk '{print $2}'

If you need to find out on a container that does not include cat then try this tool: https://github.com/micahculpepper/dockerveth

Answer 5

You can also read the interface names via /proc/PID/net/igmp like (container name as argument 1):

#!/bin/bash

NAME=$1
PID=$(docker inspect $NAME --format "{{.State.Pid}}")
while read iface id; do
    [[ "$iface" == lo ]] && continue
    veth=$(ip -br addr | sed -nre "s/(veth.*)@if$id.*/\1/p")
    echo -e "$NAME\t$iface\t$veth"
done < <(</proc/$PID/net/igmp awk '/^[0-9]+/{print $2 " " $1;}')