How can I capture the network traffic of Docker Swarm containers using netshoot and network_mode?

Question

In the past, we've successfully used nicolaka/netshoot to capture network traffic of Docker containers run with docker-compose:

$ cat docker-compose.yml
version: "3.6"
services:
  tcpdump:
    image: nicolaka/netshoot
    depends_on:
      - nginx
    command: tcpdump -i any -w /data/nginx.pcap
    network_mode: service:nginx
    volumes:
      - $PWD/data:/data

  nginx:
    image: nginx:alpine
    ports:
      - 80:80
$ docker-compose up
WARNING: The Docker Engine you're using is running in swarm mode.

Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.

To deploy your application across the swarm, use `docker stack deploy`.

Creating network "netshoot_default" with the default driver
Creating netshoot_nginx_1 ... done
Creating netshoot_tcpdump_1 ... done
$ curl -s -o /dev/null http://localhost
$ docker-compose down
Stopping netshoot_tcpdump_1 ... done
Stopping netshoot_nginx_1   ... done
Removing netshoot_tcpdump_1 ... done
Removing netshoot_nginx_1   ... done
Removing network netshoot_default
$ tshark -2 -r data/nginx.pcap http
   13   4.760638   172.25.0.1 → 172.25.0.2   HTTP 145 GET / HTTP/1.1
   17   4.760866   172.25.0.2 → 172.25.0.1   HTTP 684 HTTP/1.1 200 OK  (text/html)
$

Unfortunately, this doesn't seem to work if the containers are started with docker stack create because network_mode is not supported:

$ docker stack deploy -c docker-compose.yml netshoot
Ignoring unsupported options: network_mode

Creating network netshoot_default
Creating service netshoot_tcpdump
Creating service netshoot_nginx
$ curl -s -o /dev/null http://localhost
$ docker stack rm netshoot
Removing service netshoot_nginx
Removing service netshoot_tcpdump
Removing network netshoot_default
$ tshark -2 -r data/nginx.pcap http
$ tshark -2 -r data/nginx.pcap tcp
      6   4.221820   172.18.0.1 → 172.18.0.2   TCP 80 63798 → 80 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=191764735 TSecr=0 WS=128
$

How can we configure our netshoot containers in the docker-compose.yml so they share the network interfaces of other containers even if they are started via docker stack create?

Answer 1

from there : https://forums.docker.com/t/how-to-tcpdump-inter-service-traffic/23463/4

overlay network traffic in swarm does not go thru docker0 or docker_gwbridge. There are 2 options: option 1: Go inside container and do tcpdump: nicolaka/netshoot is container with all network debug tools.

docker run -ti --net container: <container name/id> nicolaka/netshoot
tcpdump -i <eth0>

Option 2: Go inside network namespace of overlay network and do tcpdump: First find overlay network id with docker network inspect Start debug container mounting network namespace:

docker run -it --rm -v /var/run/docker/netns:/var/run/docker/netns --privileged=true nicolaka/netshoot

All namespaces are listed under: /var/run/docker/netns

Find your swarm overlay network namespace matching with overlay networkid of previous command. Then enter into network namespace:

nsenter --net=/var/run/docker/netns/ sh
tcpdump -i vxlan0