{"id":13416115,"url":"https://github.com/nicolaka/netshoot","last_synced_at":"2025-05-12T09:23:27.449Z","repository":{"id":37730515,"uuid":"66426242","full_name":"nicolaka/netshoot","owner":"nicolaka","description":"a Docker + Kubernetes network trouble-shooting swiss-army container","archived":false,"fork":false,"pushed_at":"2025-04-09T16:47:43.000Z","size":282,"stargazers_count":9269,"open_issues_count":45,"forks_count":1022,"subscribers_count":128,"default_branch":"master","last_synced_at":"2025-04-23T02:59:28.550Z","etag":null,"topics":["containers","docker","kubernetes","network","network-namespace","troubleshooting"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nicolaka.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-08-24T03:32:53.000Z","updated_at":"2025-04-22T20:56:44.000Z","dependencies_parsed_at":"2023-02-08T19:46:34.740Z","dependency_job_id":"a06683b9-b0d1-4fd7-91e1-317e6e7fc269","html_url":"https://github.com/nicolaka/netshoot","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicolaka%2Fnetshoot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicolaka%2Fnetshoot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicolaka%2Fnetshoot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicolaka%2Fnetshoot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nicolaka","download_url":"https://codeload.github.com/nicolaka/netshoot/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253540661,"owners_count":21924523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","kubernetes","network","network-namespace","troubleshooting"],"created_at":"2024-07-30T21:00:54.488Z","updated_at":"2025-05-11T08:36:22.423Z","avatar_url":"https://github.com/nicolaka.png","language":"Shell","funding_links":[],"categories":["Shell","Container Operations","Install from Source","HarmonyOS","kubernetes","docker","DevNet Tools","Networking \u0026 Proxies","Networking Utilities"],"sub_categories":["Networking","Troubleshooting","Windows Manager","SD-WAN"],"readme":"## netshoot: a Docker + Kubernetes network trouble-shooting swiss-army container\n\n```\n dP dP dP\n 88 88 88\n88d888b. .d8888b. d8888P .d8888b. 88d888b. .d8888b. .d8888b. d8888P\n88' `88 88ooood8 88 Y8ooooo. 88' `88 88' `88 88' `88 88\n88 88 88. ... 88 88 88 88 88. .88 88. .88 88\ndP dP `88888P' dP `88888P' dP dP `88888P' `88888P' dP\n```\n\n**Purpose:** Docker and Kubernetes network troubleshooting can become complex. With proper understanding of how Docker and Kubernetes networking works and the right set of tools, you can troubleshoot and resolve these networking issues. The `netshoot` container has a set of powerful networking troubleshooting tools that can be used to troubleshoot Docker networking issues. Along with these tools come a set of use-cases that show how this container can be used in real-world scenarios.\n\n**Network Namespaces:** Before starting to use this tool, it's important to go over one key topic: **Network Namespaces**. Network namespaces provide isolation of the system resources associated with networking. Docker uses network and other type of namespaces (`pid`,`mount`,`user`..etc) to create an isolated environment for each container. Everything from interfaces, routes, and IPs is completely isolated within the network namespace of the container. \n\nKubernetes also uses network namespaces. Kubelets creates a network namespace per pod where all containers in that pod share that same network namespace (eths,IP, tcp sockets...etc). This is a key difference between Docker containers and Kubernetes pods.\n\nCool thing about namespaces is that you can switch between them. You can enter a different container's network namespace, perform some troubleshooting on its network's stack with tools that aren't even installed on that container. Additionally, `netshoot` can be used to troubleshoot the host itself by using the host's network namespace. This allows you to perform any troubleshooting without installing any new packages directly on the host or your application's package. \n\n## Netshoot with Docker \n\n* **Container's Network Namespace:** If you're having networking issues with your application's container, you can launch `netshoot` with that container's network namespace like this:\n\n `$ docker run -it --net container:\u003ccontainer_name\u003e nicolaka/netshoot`\n\n* **Host's Network Namespace:** If you think the networking issue is on the host itself, you can launch `netshoot` with that host's network namespace:\n\n `$ docker run -it --net host nicolaka/netshoot`\n\n* **Network's Network Namespace:** If you want to troubleshoot a Docker network, you can enter the network's namespace using `nsenter`. This is explained in the `nsenter` section below.\n\n## Netshoot with Docker Compose\n\nYou can easily deploy `netshoot` using Docker Compose using something like this:\n\n```\nversion: \"3.6\"\nservices:\n tcpdump:\n image: nicolaka/netshoot\n depends_on:\n - nginx\n command: tcpdump -i eth0 -w /data/nginx.pcap\n network_mode: service:nginx\n volumes:\n - $PWD/data:/data\n\n nginx:\n image: nginx:alpine\n ports:\n - 80:80\n```\n\n## Netshoot with Kubernetes\n\n* if you want to debug using an [ephemeral container](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container-example) in an existing pod:\n\n `$ kubectl debug mypod -it --image=nicolaka/netshoot`\n\n* if you want to spin up a throw away pod for debugging.\n\n `$ kubectl run tmp-shell --rm -i --tty --image nicolaka/netshoot`\n\n* if you want to spin up a container on the host's network namespace.\n\n `$ kubectl run tmp-shell --rm -i --tty --overrides='{\"spec\": {\"hostNetwork\": true}}' --image nicolaka/netshoot`\n\n* if you want to use netshoot as a sidecar container to troubleshoot your application container\n\n ```\n $ cat netshoot-sidecar.yaml\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: nginx-netshoot\n labels:\n app: nginx-netshoot\n spec:\n replicas: 1\n selector:\n matchLabels:\n app: nginx-netshoot\n template:\n metadata:\n labels:\n app: nginx-netshoot\n spec:\n containers:\n - name: nginx\n image: nginx:1.14.2\n ports:\n - containerPort: 80\n - name: netshoot\n image: nicolaka/netshoot\n command: [\"/bin/bash\"]\n args: [\"-c\", \"while true; do ping localhost; sleep 60;done\"]\n\n $ kubectl apply -f netshoot-sidecar.yaml\n deployment.apps/nginx-netshoot created\n\n $ kubectl get pod\nNAME READY STATUS RESTARTS AGE\nnginx-netshoot-7f9c6957f8-kr8q6 2/2 Running 0 4m27s\n\n $ kubectl exec -it nginx-netshoot-7f9c6957f8-kr8q6 -c netshoot -- /bin/zsh\n dP dP dP\n 88 88 88\n 88d888b. .d8888b. d8888P .d8888b. 88d888b. .d8888b. .d8888b. d8888P\n 88' `88 88ooood8 88 Y8ooooo. 88' `88 88' `88 88' `88 88\n 88 88 88. ... 88 88 88 88 88. .88 88. .88 88\n dP dP `88888P' dP `88888P' dP dP `88888P' `88888P' dP\n\n Welcome to Netshoot! (github.com/nicolaka/netshoot)\n\n\n nginx-netshoot-7f9c6957f8-kr8q6 $ \n ```\n\n## The netshoot kubectl plugin\n\nTo easily troubleshoot networking issues in your k8s environment, you can leverage the [Netshoot Kubectl Plugin](https://github.com/nilic/kubectl-netshoot) (shout out to Nebojsa Ilic for creating it!). Using this kubectl plugin, you can easily create ephemeral `netshoot` containers to troubleshoot existing pods, k8s controller or worker nodes. To install the plugin, follow [these steps](https://github.com/nilic/kubectl-netshoot#installation).\n\nSample Usage:\n\n```\n# spin up a throwaway pod for troubleshooting\nkubectl netshoot run tmp-shell\n\n# debug using an ephemeral container in an existing pod\nkubectl netshoot debug my-existing-pod\n\n# create a debug session on a node\nkubectl netshoot debug node/my-node\n```\n\n\n\n**Network Problems** \n\nMany network issues could result in application performance degradation. Some of those issues could be related to the underlying networking infrastructure(underlay). Others could be related to misconfiguration at the host or Docker level. Let's take a look at common networking issues:\n\n* latency\n* routing \n* DNS resolution\n* firewall \n* incomplete ARPs\n\nTo troubleshoot these issues, `netshoot` includes a set of powerful tools as recommended by this diagram. \n\n![](http://www.brendangregg.com/Perf/linux_observability_tools.png)\n\n\n**Included Packages:** The following packages are included in `netshoot`. We'll go over some with some sample use-cases.\n\n apache2-utils \\\n bash \\\n bind-tools \\\n bird \\\n bridge-utils \\\n busybox-extras \\\n conntrack-tools \\\n curl \\\n dhcping \\\n drill \\\n ethtool \\\n file\\\n fping \\\n grpcurl \\\n iftop \\\n iperf \\\n iperf3 \\\n iproute2 \\\n ipset \\\n iptables \\\n iptraf-ng \\\n iputils \\\n ipvsadm \\\n jq \\\n libc6-compat \\\n liboping \\\n ltrace \\\n mtr \\\n net-snmp-tools \\\n netcat-openbsd \\\n nftables \\\n ngrep \\\n nmap \\\n nmap-nping \\\n nmap-scripts \\\n openssl \\\n py3-pip \\\n py3-setuptools \\\n scapy \\\n socat \\\n speedtest-cli \\\n openssh \\\n strace \\\n tcpdump \\\n tcptraceroute \\\n tshark \\\n util-linux \\\n vim \\\n git \\\n zsh \\\n websocat \\\n swaks \\\n perl-crypt-ssleay \\\n perl-net-ssleay\n \n## **Sample Use-cases** \n\n## iperf \n\nPurpose: test networking performance between two containers/hosts. \n\nCreate Overlay network:\n\n```\n$ docker network create -d overlay perf-test\n```\nLaunch two containers:\n\n```\nšŸ³ ā†’ docker service create --name perf-test-a --network perf-test nicolaka/netshoot iperf -s -p 9999\n7dkcckjs0g7b4eddv8e5ez9nv\n\n\nšŸ³ ā†’ docker service create --name perf-test-b --network perf-test nicolaka/netshoot iperf -c perf-test-a -p 9999\n2yb6fxls5ezfnav2z93lua8xl\n\n\n\n šŸ³ ā†’ docker service ls\nID NAME REPLICAS IMAGE COMMAND\n2yb6fxls5ezf perf-test-b 1/1 nicolaka/netshoot iperf -c perf-test-a -p 9999\n7dkcckjs0g7b perf-test-a 1/1 nicolaka/netshoot iperf -s -p 9999\n\n\n\nšŸ³ ā†’ docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\nce4ff40a5456 nicolaka/netshoot:latest \"iperf -s -p 9999\" 31 seconds ago Up 30 seconds perf-test-a.1.bil2mo8inj3r9nyrss1g15qav\n\nšŸ³ ā†’ docker logs ce4ff40a5456\n------------------------------------------------------------\nServer listening on TCP port 9999\nTCP window size: 85.3 KByte (default)\n------------------------------------------------------------\n[ 4] local 10.0.3.3 port 9999 connected with 10.0.3.5 port 35102\n[ ID] Interval Transfer Bandwidth\n[ 4] 0.0-10.0 sec 32.7 GBytes 28.1 Gbits/sec\n[ 5] local 10.0.3.3 port 9999 connected with 10.0.3.5 port 35112\n\n```\n\n## tcpdump\n\n**tcpdump** is a powerful and common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over an attached network interface. \n\n```\n# Continuing on the iperf example. Let's launch netshoot with perf-test-a's container network namespace.\n\nšŸ³ ā†’ docker run -it --net container:perf-test-a.1.0qlf1kaka0cq38gojf7wcatoa nicolaka/netshoot \n\n# Capturing packets on eth0 and tcp port 9999.\n\n/ # tcpdump -i eth0 port 9999 -c 1 -Xvv\ntcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes\n23:14:09.771825 IP (tos 0x0, ttl 64, id 60898, offset 0, flags [DF], proto TCP (6), length 64360)\n 10.0.3.5.60032 \u003e 0e2ccbf3d608.9999: Flags [.], cksum 0x1563 (incorrect -\u003e 0x895d), seq 222376702:222441010, ack 3545090958, win 221, options [nop,nop,TS val 2488870 ecr 2488869], length 64308\n\t0x0000: 4500 fb68 ede2 4000 4006 37a5 0a00 0305 E..h..@.@.7.....\n\t0x0010: 0a00 0303 ea80 270f 0d41 32fe d34d cb8e ......'..A2..M..\n\t0x0020: 8010 00dd 1563 0000 0101 080a 0025 fa26 .....c.......%.\u0026\n\t0x0030: 0025 fa25 0000 0000 0000 0001 0000 270f .%.%..........'.\n\t0x0040: 0000 0000 0000 0000 ffff d8f0 3435 3637 ............4567\n\t0x0050: 3839 3031 3233 3435 3637 3839 3031 3233 8901234567890123\n\t0x0060: 3435 3637 3839 3031 3233 3435 3637 3839 4567890123456789\n\t0x0070: 3031 3233 3435 3637 3839 3031 3233 3435 0123456789012345\n\t0x0080: 3637 3839 3031 3233 3435 3637 3839 3031 6789012345678901\n\t0x0090: 3233 3435 3637 3839 3031 3233 3435 3637 2345678901234567\n\t0x00a0: 3839 3031 3233 3435 3637 3839 3031 3233 8901234567890123\n\t0x00b0: 3435 3637 3839 3031 3233 3435 3637 3839 4567890123456789\n\t0x00c0: 3031 3233 3435 3637 3839 3031 3233 3435 0123456789012345\n\t0x00d0: 3637 3839 3031 3233 3435 3637 3839 3031 6789012345678901\n\t0x00e0: 3233 3435 3637 3839 3031 3233 3435 3637 2345678901234567\n\t0x00f0: 3839 3031 3233 3435 3637 3839 3031 3233 8901234567890123\n\t0x0100: 3435 3637 3839 3031 3233 3435 3637 3839 4567890123456789\n\t\n```\n\nMore info on `tcpdump` can be found [here](http://www.tcpdump.org/tcpdump_man.html).\n\n## netstat\n\nPurpose: `netstat` is a useful tool for checking your network configuration and activity. \n\nContinuing on from `iperf` example. Let's use `netstat` to confirm that it's listening on port `9999`. \n\n\n```\nšŸ³ ā†’ docker run -it --net container:perf-test-a.1.0qlf1kaka0cq38gojf7wcatoa nicolaka/netshoot \n\n/ # netstat -tulpn\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name\ntcp 0 0 127.0.0.11:46727 0.0.0.0:* LISTEN -\ntcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN -\nudp 0 0 127.0.0.11:39552 0.0.0.0:* -\n```\n\n## nmap\n`nmap` (\"Network Mapper\") is an open source tool for network exploration and security auditing. It is very useful for scanning to see which ports are open between a given set of hosts. This is a common thing to check for when installing Swarm or UCP because a range of ports is required for cluster communication. The command analyzes the connection pathway between the host where `nmap` is running and the given target address.\n\n```\nšŸ³ ā†’ docker run -it --privileged nicolaka/netshoot nmap -p 12376-12390 -dd 172.31.24.25\n\n...\nDiscovered closed port 12388/tcp on 172.31.24.25\nDiscovered closed port 12379/tcp on 172.31.24.25\nDiscovered closed port 12389/tcp on 172.31.24.25\nDiscovered closed port 12376/tcp on 172.31.24.25\n...\n```\nThere are several states that ports will be discovered as:\n\n- `open`: the pathway to the port is open and there is an application listening on this port.\n- `closed`: the pathway to the port is open but there is no application listening on this port.\n- `filtered`: the pathway to the port is closed, blocked by a firewall, routing rules, or host-based rules.\n\n## iftop\n\nPurpose: iftop does for network usage what top does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts.\n\nContinuing the `iperf` example.\n\n```\n ā†’ docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\nce4ff40a5456 nicolaka/netshoot:latest \"iperf -s -p 9999\" 5 minutes ago Up 5 minutes perf-test-a.1.bil2mo8inj3r9nyrss1g15qav\n\nšŸ³ ā†’ docker run -it --net container:perf-test-a.1.bil2mo8inj3r9nyrss1g15qav nicolaka/netshoot iftop -i eth0\n\n```\n\n![iftop.png](img/iftop.png)\n\n## drill\n\nPurpose: drill is a tool\tto designed to get all sorts of information out of the DNS.\n\nContinuing the `iperf` example, we'll use `drill` to understand how services' DNS is resolved in Docker. \n\n```\nšŸ³ ā†’ docker run -it --net container:perf-test-a.1.bil2mo8inj3r9nyrss1g15qav nicolaka/netshoot drill -V 5 perf-test-b\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, rcode: NOERROR, id: 0\n;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0\n;; QUESTION SECTION:\n;; perf-test-b.\tIN\tA\n\n;; ANSWER SECTION:\n\n;; AUTHORITY SECTION:\n\n;; ADDITIONAL SECTION:\n\n;; Query time: 0 msec\n;; WHEN: Thu Aug 18 02:08:47 2016\n;; MSG SIZE rcvd: 0\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, rcode: NOERROR, id: 52723\n;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0\n;; QUESTION SECTION:\n;; perf-test-b.\tIN\tA\n\n;; ANSWER SECTION:\nperf-test-b.\t600\tIN\tA\t10.0.3.4 \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c Service VIP\n\n;; AUTHORITY SECTION:\n\n;; ADDITIONAL SECTION:\n\n;; Query time: 1 msec\n;; SERVER: 127.0.0.11 \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c Local resolver \n;; WHEN: Thu Aug 18 02:08:47 2016\n;; MSG SIZE rcvd: 56\n```\n\n## netcat\n\nPurpose: a simple Unix utility that reads and writes data across network connections, using the TCP or UDP protocol. It's useful for testing and troubleshooting TCP/UDP connections. `netcat` can be used to detect if there's a firewall rule blocking certain ports.\n\n```\nšŸ³ ā†’ docker network create -d overlay my-ovl\n55rohpeerwqx8og4n0byr0ehu\n\nšŸ³ ā†’ docker service create --name service-a --network my-ovl -p 8080:8080 nicolaka/netshoot nc -l 8080\nbnj517hh4ylpf7ewawsp9unrc\n\nšŸ³ ā†’ docker service create --name service-b --network my-ovl nicolaka/netshoot nc -vz service-a 8080\n3xv1ukbd3kr03j4uybmmlp27j\n\nšŸ³ ā†’ docker logs service-b.1.0c5wy4104aosovtl1z9oixiso\nConnection to service-a 8080 port [tcp/http-alt] succeeded!\n\n```\n## netgen\nPurpose: `netgen` is a simple [script](netgen.sh) that will generate a packet of data between containers periodically using `netcat`. The generated traffic can be used to demonstrate different features of the networking stack.\n\n`netgen \u003chost\u003e \u003cip\u003e` will create a `netcat` server and client listening and sending to the same port.\n\nUsing `netgen` with `docker run`:\n\n```\nšŸ³ ā†’ docker network create -d bridge br\n01b167971453700cf0a40d7e1a0dc2b0021e024bbb119541cc8c1858343c9cfc\n\nšŸ³ ā†’ docker run -d --rm --net br --name c1 nicolaka/netshoot netgen c2 5000\n8c51eb2100c35d14244dcecb80839c780999159985415a684258c7154ec6bd42\n\nšŸ³ ā†’ docker run -it --rm --net br --name c2 nicolaka/netshoot netgen c1 5000\nListener started on port 5000\nSending traffic to c1 on port 5000 every 10 seconds\nSent 1 messages to c1:5000\nSent 2 messages to c1:5000\n\nšŸ³ ā†’ sudo tcpdump -vvvn -i eth0 port 5000\n...\n```\n\nUsing `netgen` with `docker services`:\n\n```\nšŸ³ ā†’ docker network create -d overlay ov\n01b167971453700cf0a40d7e1a0dc2b0021e024bbb119541cc8c1858343c9cfc\n\nšŸ³ ā†’ docker service create --network ov --replicas 3 --name srvc netshoot netgen srvc 5000\ny93t8mb9wgzsc27f7l2rdu5io\n\nšŸ³ ā†’ docker service logs srvc\nsrvc.1.vwklts5ybq5w@moby | Listener started on port 5000\nsrvc.1.vwklts5ybq5w@moby | Sending traffic to srvc on port 5000 every 10 seconds\nsrvc.1.vwklts5ybq5w@moby | Sent 1 messages to srvc:5000\nsrvc.3.dv4er00inlxo@moby | Listener started on port 5000\nsrvc.2.vu47gf0sdmje@moby | Listener started on port 5000\n...\n\n\nšŸ³ ā†’ sudo tcpdump -vvvn -i eth0 port 5000\n...\n```\n\n## iproute2\n\npurpose: a collection of utilities for controlling TCP / IP networking and traffic control in Linux.\n\n```\n# Sample routing and arp table of the docker host.\n\nšŸ³ ā†’ docker run -it --net host nicolaka/netshoot\n\n/ # ip route show\ndefault via 192.168.65.1 dev eth0 metric 204\n172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1\n172.19.0.0/16 dev br-fd694678f5c3 proto kernel scope link src 172.19.0.1 linkdown\n172.20.0.0/16 dev docker_gwbridge proto kernel scope link src 172.20.0.1\n172.21.0.0/16 dev br-0d73cc4ac114 proto kernel scope link src 172.21.0.1 linkdown\n172.22.0.0/16 dev br-1eb1f1e84df8 proto kernel scope link src 172.22.0.1 linkdown\n172.23.0.0/16 dev br-aafed4ec941f proto kernel scope link src 172.23.0.1 linkdown\n192.168.65.0/29 dev eth0 proto kernel scope link src 192.168.65.2\n\n/ # ip neigh show\n192.168.65.1 dev eth0 lladdr f6:16:36:bc:f9:c6 STALE\n172.17.0.7 dev docker0 lladdr 02:42:ac:11:00:07 STALE\n172.17.0.6 dev docker0 lladdr 02:42:ac:11:00:06 STALE\n172.17.0.5 dev docker0 lladdr 02:42:ac:11:00:05 STALE\n```\n\nMore info on `iproute2` [here](http://lartc.org/howto/lartc.iproute2.tour.html)\n\n## nsenter\n\nPurpose: `nsenter` is a powerful tool allowing you to enter into any namespaces. `nsenter` is available inside `netshoot` but requires `netshoot` to be run as a privileged container. Additionally, you may want to mount the `/var/run/docker/netns` directory to be able to enter any network namespace including bridge and overlay networks. \n\nWith `docker run --name container-B --net container:container-A `, docker uses `container-A`'s network namespace ( including interfaces and routes) when creating `container-B`. This approach is helpful for troubleshooting network issues at the container level. To troubleshoot network issues at the bridge or overlay network level, you need to enter the `namespace` of the network _itself_. `nsenter` allows you to do that. \n\nFor example, if we wanted to check the L2 forwarding table for a overlay network. We need to enter the overlay network namespace and use same tools in `netshoot` to check these entries. The following examples go over some use cases for using `nsenter` to understand what's happening within a docker network ( overlay in this case).\n\n```\n# Creating an overlay network\nšŸ³ ā†’ docker network create -d overlay nsenter-test\n9tp0f348donsdj75pktssd97b\n\n# Launching a simple busybox service with 3 replicas\nšŸ³ ā†’ docker service create --name nsenter-l2-table-test --replicas 3 --network nsenter-test busybox ping localhost\n3692i3q3u8nephdco2c10ro4c\n\n# Inspecting the service\nšŸ³ ā†’ docker network inspect nsenter-test\n[\n {\n \"Name\": \"nsenter-test\",\n \"Id\": \"9tp0f348donsdj75pktssd97b\",\n \"Scope\": \"swarm\",\n \"Driver\": \"overlay\",\n \"EnableIPv6\": false,\n \"IPAM\": {\n \"Driver\": \"default\",\n \"Options\": null,\n \"Config\": [\n {\n \"Subnet\": \"10.0.1.0/24\",\n \"Gateway\": \"10.0.1.1\"\n }\n ]\n },\n \"Internal\": false,\n \"Containers\": {\n \"0ebe0fab555d2e2ef2fcda634bef2071ad3f5842b06bd134b40f259ab9be4f13\": {\n \"Name\": \"nsenter-l2-table-test.2.83uezc16jcaz2rp6cjwyf4605\",\n \"EndpointID\": \"3064946bb0224a4b3647cefcba18dcbea71b90a2ba1c09212a7bc599ec1ed3eb\",\n \"MacAddress\": \"02:42:0a:00:01:04\",\n \"IPv4Address\": \"10.0.1.4/24\",\n \"IPv6Address\": \"\"\n },\n \"55065360ac1c71638fdef50a073a661dec53b693409c5e09f8f854abc7dbb373\": {\n \"Name\": \"nsenter-l2-table-test.1.4ryh3wmmv21nsrfwmilanypqq\",\n \"EndpointID\": \"f81ae5f979d6c54f60636ca9bb2107d95ebf9a08f64786c549e87a66190f1b1f\",\n \"MacAddress\": \"02:42:0a:00:01:03\",\n \"IPv4Address\": \"10.0.1.3/24\",\n \"IPv6Address\": \"\"\n },\n \"57eca277749bb01a488f0e6c4e91dc6720b7c8f08531536377b29a972971f54b\": {\n \"Name\": \"nsenter-l2-table-test.3.9cuoq5m2ue1wi4lsw64k88tvz\",\n \"EndpointID\": \"ff1a251ffd6c674cd5fd117386d1a197ab68b4ed708187035d91ff5bd5fe0251\",\n \"MacAddress\": \"02:42:0a:00:01:05\",\n \"IPv4Address\": \"10.0.1.5/24\",\n \"IPv6Address\": \"\"\n }\n },\n \"Options\": {\n \"com.docker.network.driver.overlay.vxlanid_list\": \"260\"\n },\n \"Labels\": {}\n }\n]\n\n# Launching netshoot in privileged mode\n šŸ³ ā†’ docker run -it --rm -v /var/run/docker/netns:/var/run/docker/netns --privileged=true nicolaka/netshoot\n \n# Listing all docker-created network namespaces\n \n/ # cd /var/run/docker/netns/\n/var/run/docker/netns # ls\n0b1b36d33313 1-9tp0f348do 14d1428c3962 645eb414b538 816b96054426 916dbaa7ea76 db9fd2d68a9b e79049ce9994 f857b5c01ced\n1-9r17dodsxt 1159c401b8d8 1a508036acc8 7ca29d89293c 83b743f2f087 aeed676a57a5 default f22ffa5115a0\n\n# The overlay network that we created had an id of 9tp0f348donsdj75pktssd97b. All overlay networks are named \u003cnumber\u003e-\u003cid\u003e. We can see it in the list as `1-9tp0f348do`. To enter it:\n\n/ # nsenter --net=/var/run/docker/netns/1-9tp0f348do sh\n\n# Now all the commands we issue are within that namespace. \n\n/ # ifconfig\nbr0 Link encap:Ethernet HWaddr 02:15:B8:E7:DE:B3\n inet addr:10.0.1.1 Bcast:0.0.0.0 Mask:255.255.255.0\n inet6 addr: fe80::20ce:a5ff:fe63:437d%32621/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1\n RX packets:36 errors:0 dropped:0 overruns:0 frame:0\n TX packets:18 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:2224 (2.1 KiB) TX bytes:1348 (1.3 KiB)\n\nlo Link encap:Local Loopback\n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1%32621/128 Scope:Host\n UP LOOPBACK RUNNING MTU:65536 Metric:1\n RX packets:4 errors:0 dropped:0 overruns:0 frame:0\n TX packets:4 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1\n RX bytes:336 (336.0 B) TX bytes:336 (336.0 B)\n\nveth2 Link encap:Ethernet HWaddr 02:15:B8:E7:DE:B3\n inet6 addr: fe80::15:b8ff:fee7:deb3%32621/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1\n RX packets:9 errors:0 dropped:0 overruns:0 frame:0\n TX packets:32 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:690 (690.0 B) TX bytes:2460 (2.4 KiB)\n\nveth3 Link encap:Ethernet HWaddr 7E:55:C3:5C:C2:78\n inet6 addr: fe80::7c55:c3ff:fe5c:c278%32621/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1\n RX packets:13 errors:0 dropped:0 overruns:0 frame:0\n TX packets:26 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:970 (970.0 B) TX bytes:1940 (1.8 KiB)\n\nveth4 Link encap:Ethernet HWaddr 72:95:AB:A1:6A:87\n inet6 addr: fe80::7095:abff:fea1:6a87%32621/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1\n RX packets:14 errors:0 dropped:0 overruns:0 frame:0\n TX packets:27 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:1068 (1.0 KiB) TX bytes:2038 (1.9 KiB)\n\nvxlan1 Link encap:Ethernet HWaddr EA:EC:1D:B1:7D:D7\n inet6 addr: fe80::e8ec:1dff:feb1:7dd7%32621/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n TX packets:0 errors:0 dropped:33 overruns:0 carrier:0\n collisions:0 txqueuelen:0\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\n\n# Let's check out the L2 forwarding table. These MAC addresses belong to the tasks/containers in this service. \n\n/ # bridge fdb show br br0\n33:33:00:00:00:01 dev br0 self permanent\n01:00:5e:00:00:01 dev br0 self permanent\n33:33:ff:63:43:7d dev br0 self permanent\nea:ec:1d:b1:7d:d7 dev vxlan1 master br0 permanent\n02:15:b8:e7:de:b3 dev veth2 master br0 permanent\n33:33:00:00:00:01 dev veth2 self permanent\n01:00:5e:00:00:01 dev veth2 self permanent\n33:33:ff:e7:de:b3 dev veth2 self permanent\n7e:55:c3:5c:c2:78 dev veth3 master br0 permanent\n33:33:00:00:00:01 dev veth3 self permanent\n01:00:5e:00:00:01 dev veth3 self permanent\n33:33:ff:5c:c2:78 dev veth3 self permanent\n72:95:ab:a1:6a:87 dev veth4 master br0 permanent\n33:33:00:00:00:01 dev veth4 self permanent\n01:00:5e:00:00:01 dev veth4 self permanent\n33:33:ff:a1:6a:87 dev veth4 self permanent\n\n\n# ARP and routing tables. Note that an overlay network only routes traffic for that network. It only has a single route that matches the subnet of that network.\n\n/ # ip neigh show\n/ # ip route\n10.0.1.0/24 dev br0 proto kernel scope link src 10.0.1.1\n\n# Looks like the arp table is flushed. Let's ping some of the containers on this network.\n\n/ # ping 10.0.1.4\nPING 10.0.1.4 (10.0.1.4) 56(84) bytes of data.\n64 bytes from 10.0.1.4: icmp_seq=1 ttl=64 time=0.207 ms\n64 bytes from 10.0.1.4: icmp_seq=2 ttl=64 time=0.087 ms\n^C\n--- 10.0.1.4 ping statistics ---\n2 packets transmitted, 2 received, 0% packet loss, time 1002ms\nrtt min/avg/max/mdev = 0.087/0.147/0.207/0.060 ms\n\n/ # ip neigh show\n10.0.1.4 dev br0 lladdr 02:42:0a:00:01:04 REACHABLE\n\n# and using bridge-utils to show interfaces of the overlay network local bridge.\n\n/ # brctl show\nbridge name\tbridge id\t\tSTP enabled\tinterfaces\nbr0\t\t8000.0215b8e7deb3\tno\t\tvxlan1\n\t\t\t\t\t\t\tveth2\n\t\t\t\t\t\t\tveth3\n\t\t\t\t\t\t\tveth4\n```\n\n## CTOP\n\nctop is a free open source, simple and cross-platform top-like command-line tool for monitoring container metrics in real-time. It allows you to get an overview of metrics concerning CPU, memory, network, I/O for multiple containers and also supports inspection of a specific container.\n\nTo get data into ctop, you'll need to bind docker.sock into the netshoot container.\n\n`/ # docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock nicolaka/netshoot ctop`\n\n![ctop.png](img/ctop.png)\n\nIt will display running and existed containers with useful metrics to help troubleshoot resource issues; hit \"q\" to exit.\n\n## Termshark\n\nTermshark is a terminal user-interface for tshark. It allows user to read pcap files or sniff live interfaces with Wireshark's display filters. \n\n```\n# Launching netshoot with NET_ADMIN and CAP_NET_RAW capabilities. Capturing packets on eth0 with icmp \n/ # docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it nicolaka/netshoot termshark -i eth0 icmp\n```\n\n```\n# Launching netshoot with NET_ADMIN and CAP_NET_RAW capabilities Reading packets from ipv4frags.pcap\n\n/ # docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -v /tmp/ipv4frags.pcap:/tmp/ipv4frags.pcap -it nicolaka/netshoot termshark -r /tmp/ipv4frags.pcap\n```\nMore info on `termshark` [here](https://github.com/gcla/termshark)\n\n## Swaks\n\nSwaks (Swiss Army Knife for SMTP) is a featureful, flexible, scriptable, transaction-oriented SMTP test tool. It is free to use and licensed under the GNU GPLv2.\n\nYou can use it to test and troubleshoot email servers with a crystal-clear syntax:\n\n```bash\nswaks --to user@example.com \\\n --from fred@example.com --h-From: '\"Fred Example\" \u003cfred@example.com\u003e' \\\n --auth CRAM-MD5 --auth-user me@example.com \\\n --header-X-Test \"test email\" \\\n --tls \\\n --data \"Example body\"\n```\n\nMore info, examples and lots of documentation on `Swaks` [here](http://www.jetmore.org/john/code/swaks/)\n\n## Grpcurl\ngrpcurl is a command-line tool that lets you interact with gRPC servers. It's basically curl for gRPC servers.\n\nInvoking an RPC on a trusted server (e.g. TLS without self-signed key or custom CA) that requires no client certs and supports server reflection is the simplest thing to do with grpcurl. This minimal invocation sends an empty request body:\n\n```bash\ngrpcurl grpc.server.com:443 my.custom.server.Service/Method\n\n# no TLS\ngrpcurl -plaintext grpc.server.com:80 my.custom.server.Service/Method\n```\n\nMore info, examples and lots of documentation on `Grpcurl` [here](https://github.com/fullstorydev/grpcurl)\n\n## Fortio\n\nFortio is a fast, small (4Mb docker image, minimal dependencies), reusable, embeddable go library as well as a command line tool and server process, the server includes a simple web UI and REST API to trigger run and see graphical representation of the results (both a single latency graph and a multiple results comparative min, max, avg, qps and percentiles graphs).\n\n```bash\n$ fortio load http://www.google.com\nFortio X.Y.Z running at 8 queries per second, 8-\u003e8 procs, for 5s: http://www.google.com\n19:10:33 I httprunner.go:84\u003e Starting http test for http://www.google.com with 4 threads at 8.0 qps\nStarting at 8 qps with 4 thread(s) [gomax 8] for 5s : 10 calls each (total 40)\n19:10:39 I periodic.go:314\u003e T002 ended after 5.056753279s : 10 calls. qps=1.9775534712220633\n19:10:39 I periodic.go:314\u003e T001 ended after 5.058085991s : 10 calls. qps=1.9770324224999916\n19:10:39 I periodic.go:314\u003e T000 ended after 5.058796046s : 10 calls. qps=1.9767549252963101\n19:10:39 I periodic.go:314\u003e T003 ended after 5.059557593s : 10 calls. qps=1.9764573910247019\nEnded after 5.059691387s : 40 calls. qps=7.9056\nSleep times : count 36 avg 0.49175757 +/- 0.007217 min 0.463508712 max 0.502087879 sum 17.7032725\nAggregated Function Time : count 40 avg 0.060587641 +/- 0.006564 min 0.052549016 max 0.089893269 sum 2.42350566\n# range, mid point, percentile, count\n\u003e= 0.052549 \u003c 0.06 , 0.0562745 , 47.50, 19\n\u003e= 0.06 \u003c 0.07 , 0.065 , 92.50, 18\n\u003e= 0.07 \u003c 0.08 , 0.075 , 97.50, 2\n\u003e= 0.08 \u003c= 0.0898933 , 0.0849466 , 100.00, 1\n# target 50% 0.0605556\n# target 75% 0.0661111\n# target 99% 0.085936\n# target 99.9% 0.0894975\nCode 200 : 40\nResponse Header Sizes : count 40 avg 690.475 +/- 15.77 min 592 max 693 sum 27619\nResponse Body/Total Sizes : count 40 avg 12565.2 +/- 301.9 min 12319 max 13665 sum 502608\nAll done 40 calls (plus 4 warmup) 60.588 ms avg, 7.9 qps\n```\n\nMore info, examples and lots of documentation on `Fortio` [here](https://github.com/fortio/fortio)\n\n## Contribution\n\nFeel free to provide to contribute networking troubleshooting tools and use-cases by opening PRs. If you would like to add any package, please follow these steps:\n\n* In the PR, please include some rationale as to why this tool is useful to be included in netshoot. \n \u003e Note: If the functionality of the tool is already addressed by an existing tool, I might not accept the PR\n* Change the Dockerfile to include the new package/tool\n* If you're building the tool from source, make sure you leverage the multi-stage build process and update the `build/fetch_binaries.sh` script \n* Update the README's list of included packages AND include a section on how to use the tool\n* If the tool you're adding supports multi-platform, please make sure you highlight that.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnicolaka%2Fnetshoot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnicolaka%2Fnetshoot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnicolaka%2Fnetshoot/lists"}