Wireshark is an incredibly powerful network protocol analyzer.

Wireshark allows you to capture and inspect network traffic, providing invaluable insights into how your network operates and helping you troubleshoot issues or identify security vulnerabilities.

This post will walk you through setting up Wireshark in a Docker container, making it easier to use and manage.

What is Wireshark?

Wireshark is a free and open-source packet analyzer.

It captures network traffic in real-time and displays it in a human-readable format. You can use Wireshark to:

  • Troubleshoot network problems: Identify bottlenecks, dropped packets, and other network issues.
  • Analyze network protocols: Understand how different network protocols work.
  • Detect security vulnerabilities: Identify malicious traffic or unauthorized access attempts.
  • Learn networking: Gain a deeper understanding of network concepts.

Why use Wireshark in Docker?

Running Wireshark in a Docker container offers several advantages:

  • Isolation: It isolates Wireshark from your host system, preventing potential conflicts or unintended modifications.
  • Portability: You can easily move the Wireshark environment between different machines.
  • Cleanliness: Keeps your host system clean by avoiding the installation of potentially conflicting dependencies.
  • Reproducibility: Ensures a consistent environment for network analysis.

Setting up Wireshark with Docker

Here’s how to set up Wireshark in a Docker container using the linuxserver/wireshark image:

#---
#version: "2.1"

services:
  wireshark:
    image: lscr.io/linuxserver/wireshark:latest #https://github.com/linuxserver/docker-wireshark
    container_name: wireshark
    cap_add:
      - NET_ADMIN # Access to read network configuration
    network_mode: host # Or use a Docker network for more controlled capture
    environment:
      - PUID=1000 # User ID - find yours with `id your_user_name`
      - PGID=1000 # Group ID - find yours with `id your_user_name`
      - TZ=Europe/Rome # Set your timezone
    volumes:
      - ~/Docker/Wireshark:/config # Persistent storage for configurations and captures
    ports:
      - 3000:3000 # Optional - for accessing the web UI (if available in the image)
    restart: unless-stopped

  1. Save the YAML file: Save the above YAML configuration as a file named docker-compose.yml in a directory of your choice (e.g., ~/Docker/wireshark).

  2. Run Docker Compose: Navigate to the directory containing the docker-compose.yml file in your terminal and run:

docker-compose up -d
  1. Access Wireshark:
  • GUI: The linuxserver/wireshark image typically provides a web UI accessible via port 3000 (if you’ve mapped it). Open your web browser and go to http://localhost:3000. The default username and password are abc. It is highly recommended to change these immediately after the first login.
  • CLI: You can also interact with Wireshark through the command line within the container. Use docker exec -it wireshark bash to enter the container’s shell.

Key Configuration Details

  • cap_add: - NET_ADMIN: This is crucial. It grants the container the necessary privileges to capture network traffic.
  • network_mode: host: This puts the container directly on the host’s network stack. This is generally the easiest way to capture traffic on all interfaces. Alternatively, you could use a Docker network and capture traffic within that network. For security reasons, network_mode: host should be used with caution.
  • PUID and PGID: These environment variables set the user and group IDs within the container to match your user on the host machine. This ensures that files created within the container have the correct permissions. Use id your_user_name to find your UID and GID.
  • volumes: This mounts a directory on your host machine to /config inside the container. This is where Wireshark will store its configuration files and captured packets. This ensures that your data is persistent across container restarts.
  • ports: The port mapping is optional. It’s used if the Docker image offers a web UI for Wireshark.

Capturing Network Traffic

Once Wireshark is running, you can start capturing traffic from the desired network interface.

The web UI (if available) or the tshark command-line tool within the container can be used for capture.

Consult the Wireshark documentation for details on capturing and analyzing traffic.

Important Security Considerations:

  • network_mode: host: While convenient, using network_mode: host can pose security risks. If the container is compromised, it could potentially affect the host system. Consider using a Docker network and capturing traffic on specific interfaces if you need more isolation.
  • Change Default Credentials: Immediately change the default username and password for the Wireshark web UI after the first login.
  • Principle of Least Privilege: Only grant the necessary capabilities (NET_ADMIN) to the container.

Conclusion

Running Wireshark in Docker provides a convenient and isolated environment for network analysis.

By following these steps, you can easily set up Wireshark and start capturing and inspecting network traffic to better understand and secure your network.

Remember to consult the official Wireshark documentation for detailed information on using the tool effectively.