TCPDump: How to find out which network requests are made by your tools?

20.08.2024 5 min read
title image

I have a locked-down Linux Server where I want to pull and run a docker container from DockerHub. Locked-down means here, that the egress traffic of that server is restricted by a firewall. Therefore the server cannot access everything on the internet, only the sites I have explictly allowed.

Therefore I need to find out which URLs are used when I call docker pull. Google might give me an answer, but I want to exactly see what is tried to be accessed, on my machine, by inspecting the network traffic.

This would also be very useful in other situations, like debugging network issues, etc.

How?

  1. Capture the requests made by docker pull
  2. Check where it tries to connect to

On Linux, with tcpdump, easy enough.

  1. Run sudo sudo tcpdump -i any -w /tmp/http.log to capture any network interface and write everything in a log file.
  2. Now your terminal is blocked, so hit Ctrl + Z to halt the current process and then continue it in the background by running the bg command
  3. Then run the command where we want to capture the packets from, docker pull nginx for example and abort it with Ctrl + C once you think the network requests have been made.
  4. Stop the packet capture by bringing the background process back into the foreground with fg and stopping it with Ctrl + C
  5. Finally we can read the captured packets with sudo tcpdump -r /tmp/http.log | less or directly filter them for the process we’re interested in with sudo tcpdump -r /tmp/http.log | grep docker. If we want to look at the payload of the packets add the -A flag to tcpdump, but usually this is neither required, nor readable with TLS.

ℹ️ Note

Sometimes it’s necessary to change the file permission of the http.log file after capturing and before viewing.
You can do this with chmod 0644 /tmp/http.log or change the owning user with chown $USER /tmp/http.log

Now it’s just a matter of you looking through the requests for the URLs you can spot. For my docker example, I could identify:

  • registry-1.docker.io
  • docker.io
  • production.cloudflare.docker.com

From the internet I then learned that the following URLs are also relevant for docker:

  • index.docker.io for the API
  • auth.docker.io for Authentication

So the final list of URLs I added to my Firewall were these five, as you can see in the screenshot.

2024-08-20-pfsense-screenshot.png

Hope that helped, I’ll definitely make use of this more often.

Credit AskUbuntu

Be curious, break, fix and improve