Take a deep dive into your container host virtual networking, even if it's in a remote location. No fiddling with special containers and juggling error-prone CLI Docker commands. Simply click on a "fin" capture button inside one of the containers in Ghostwire's web UI to start a Wireshark live capture session:
Confirm and we're live capturing.
-
Capture network traffic live from your containers (and pods), straight into your Desktop Wireshark on Linux and Windows.
-
Capture from any container without preparing or modifying it for capturing. Just go capturing.
-
Supports stand-alone container hosts, including the Siemens Industrial Edge.
-
Remotely capture not only from containers, but also from the container host itself, process-less network namespaces, et cetera.
-
this Wireshark plugin can be build for Windows 64bit (x86) as well as Linux 64bit (x86, ARM). Currently, we support the .apk, .deb, and .rpm package formats on Linux.
Head over to our releases page.
-
Linux: download the package matching your CPU architecture (amd64 or arm64) and distro package format (Debian, Alpine, Fedora). Install the downloaded package as usual.
-
Windows: download the ZIP archive for Windows amd64. Double click in file explorer to open its contents, then double click on the installer
.exe. You don't need to extract the other files, as the installer perfectly works on its own. -
Mac OS: Build binarys with
make dist, yo need to have go 1.20 installed. Copy plugin to wireshark extcap directory:cp dist/default_darwin_arm64/cshargextcap /Applications/Wireshark.app/Contents/MacOS/extcap
See below for the Quick Start.
The Containershark extcap plugin is part of the "Edgeshark" project that consist of several repositories:
- Edgeshark Hub repository
- G(h)ostwire discovery service
- Packetflix packet streaming service
- 🖝 Containershark Extcap plugin for Wireshark 🖜
- support modules:
Please deploy the G(h)ostwire discovery service and Packetflix packet streaming service on your Docker host.
Then install this plugin: on Windows download and install the cshargextcap
installer artifact. On Linux, download and install the cshargextcap package for
your distribution (apk, deb, or rpm). In case you want to create the
installation files yourself, then simply run make dist in the base directory
of this repository. Afterwards, installation files will be found in the dist/
directory.
Now fire up Wireshark. If the installation went through correctly, Wireshark now should show two new "interfaces", as shown below:
It's as easy as this:
- click the ⚙ gear icon next to the network interface named "Docker host capture".
- enter your Docker host's IP address or DNS name, as well as port
:5001into the field "Docker host URL". - click the refresh button to get the list of available pods (and more...).
- pick your container.
- click the Start button.
...and your live capture starts immediately.
🛈 Wireshark creates the UI for our capture plugin and unfortunately we're therefore (quite) limited to what Wireshark has on offer. Please don't create UI/UX feature requests as we don't have any control over Wireshark's UI – with the exception of our own bugs: please create issues for them in this project's issue tracker.
Please find more details in our csharg Extcap ⚙ Plugin Manual.
Finally, there's also some technical background information in our csharg ⚙ Plugin Technical Details.
Please see CONTRIBUTING.md.
(c) Siemens AG 2023