Docker-compose suricata doesn't sniff packages

I have a docker-compose with some containers and a dedicated network (172.20.0.0/16)
This is the Dockerfile of my suricata instance:

FROM jasonish/suricata:latest

ENV SURICATA_OPTIONS="-i eth0"

COPY ./suricata.yaml /etc/suricata/suricata.yaml
COPY ./suricata.rules /var/lib/suricata/rules/suricata.rules

I changed the default releset and some config (like HOME_NET: “[172.20.0.0/16]”)
The other containers use the same network to communicate, however suricata seems not to sniff packages except ARP.
I enabled the .pcap log in the config file like this:

outputs:

  • pcap-log:
    enabled: yes
    filename: log.pcap
    limit: 1000mb
    max-files: 2000
    mode: normal # normal, multi or sguil.
    honor-pass-rules: no # If set to “yes”, flows in which a pass rule matched will stop being logged.

I expect now I have all the suricata sniffed packages. However, when i look at the pcap file with Wireshark I get only ARP and nothing else:

I’m sure on the 172.20.0.0/16 network there is other traffic but it seems ignored by suricata.

It might be helpful to jump into that container (ie: with docker exec) and use tcpdump to verify that the traffic you are looking for is actually there.

I know from a Docker-compose setup I have, which puts all the containers on the same network, that sniffing an interface in one does not expose the traffic from the other, unless of course that communication is between the 2 containers.

However, I appear to be able to sniff an interface on the host and see inter-container traffic, on an interface with a name like br-7f06e89b8b23.

Thank you for the answer and for the advices!
I had already tried using Wireshark at the interface you said (br-c7e65f5b40b9) and the result is the following:

As you can see there are also other packages, in particolar i’m intrested in the UDP ones

However I also tried with tcpdump inside the container (thank you for the advice) and the result is much different:

The interface on the container is eth0 and here I have only the ARP packages.
Why dumps from Wireshark outside the container on br-c7e65f5b40b9 and dumps from TcpDump inside it on eth0 differs?

I’m not that familiar with Docker networking, but on the host a “bridge” or virtual type of hub is used. Each container only sees the traffic for itself, and not the others. While the bridge/hub running on the host can see more. I’m not sure if it sees all or not, but my quick test looked promising.

If you want to see this traffic while running Suricata in a container, you can use host networking mode which exposes the interfaces on the host inside the container, then you can listen on one of the br interfaces. Of course there are probably Docker “proper” ways to do this as well.