Tcpdump Inside a Container – What Can I See?

Using tcpump to trace on a Docker virtual bridge interface to see the traffic between all connected containers (see previous post) got me thinking a bit: What can I see if I ran tcpump inside a container connected to a bridge? Will I only be able to see my own traffic, or would I be able to see traffic between other containers as well?

My theoretical answer: An Ethernet bridge only forwards Ethernet packets with the MAC address of the device (or the container in this case) attached to the (virtual) bridge. But theory only goes so far, so I gave it a try in practice. My reason: If I could see more than my own traffic, that could be a potential security problem. Imagine an attacker could break out of the software running in a container and then install tcpdump in the container for eavesdropping.

To try out what would happen, I used my mini-Ubuntu in a container, opened a bash shell in the container (see this post) and then installed tcpdump. With tcpdump inside the container, I then logged the traffic from the container’s Ethernet interface. As expected, tcpdump, despite opening the interface in promiscuous mode, could only see the IP packets going to and from the container. No traffic between other containers on the same virtual Ethernet bridge could be seen.

OK, that is a reassuring result!