View and manage network connections established by a Docker container.

Often while working with a Docker container, we need to look at the network connections being used by the container for initial debugging or troubleshooting purposes. You may want to see which IP is listening on a port or how many connections are currently active in the container.

Since a Docker is an isolated environment, running netstat on a server won’t give you network connections of the container. Instead, you have to either get inside a container to run the netstat or run it remotely.

Let’s see both options…

# 1. Getting inside Docker container to run netstat

As a first step, find the Container ID of the container that you want to troubleshoot.

$ docker ps
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                NAMES
0ce7cfb9be37   nginx     "/docker-entrypoint.…"   2 minutes ago   Up 2 minutes   0.0.0.0:80->80/tcp   web-server
4ab8551671d7   nginx     "/docker-entrypoint.…"   6 minutes ago   Up 6 minutes   80/tcp               vigilant_ganguly
$

Here the one I want to troubleshoot is the container with ID 0ce7cfb9be37. Now to get a shell (bash) session of this container, use:

$ docker exec -it 0ce7cfb9be37 bash

This should land you in a bash prompt inside the container.

root@0ce7cfb9be37:/#

You can install the netstat package to look for established network connections. By default, these utilities may not be available inside the container.

So to install it, use:

apt update
apt install net-tools

Now, we can use the netstat command as usual.

# netstat -an

Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 172.17.0.3:80           223.233.99.46:64429     FIN_WAIT2
tcp        0      0 172.17.0.3:80           223.233.99.46:4811      ESTABLISHED
tcp        0      0 172.17.0.3:80           223.233.99.46:64430     FIN_WAIT2
tcp        0      0 172.17.0.3:80           223.233.99.46:4810      ESTABLISHED
tcp6       0      0 :::80                   :::*                    LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  3      [ ]         STREAM     CONNECTED     35748
unix  3      [ ]         STREAM     CONNECTED     35749

As you can see from the above output, established connections with their source and destination addresses are listed. To see processes listening on ports, you can use:

# netstat -tulnp

Output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1/nginx: master pro
tcp6       0      0 :::80                   :::*                    LISTEN      1/nginx: master pro

# 2. Run netstat without getting inside the container

First thing first, we need to get the container ID with the docker ps command.

[root@relicflare-shared-services ~]# docker ps
CONTAINER ID   IMAGE                      COMMAND                  CREATED      STATUS      PORTS                    NAMES
e5db9a01d4a8   postgres:13.1-alpine       "docker-entrypoint.s…"   9 days ago   Up 9 days   0.0.0.0:5432->5432/tcp   relicflare_server_postgres
[root@relicflare-shared-services ~]#

And, then run the docker command as below to find out all the established connections for the container.

docker exec e5db9a01d4a8 netstat |grep ESTABLISHED 

This would result something like below.

[root@relicflare-shared-services ~]# docker exec e5db9a01d4a8 netstat | grep ESTABLISHED
tcp        0      0 e5db9a01d4a8:postgresql 161.35.XXX.XXX:49128    ESTABLISHED 
udp        0      0 localhost:48818         localhost:48818         ESTABLISHED 
[root@relicflare-shared-services ~]# 

So the idea is to run the netstat command along with the docker exec command.

Conclusion

Now you have the required connection details, you can proceed with your troubleshooting by looking further at docker and process logs.