View and manage network connections established by a Docker container.
Often while working with a Docker container, we need to look at the network connections being used by the container for initial debugging or troubleshooting purposes. You may want to see which IP is listening on a port or how many connections are currently active in the container.
Since a Docker is an isolated environment, running netstat on a server won’t give you network connections of the container. Instead, you have to either get inside a container to run the netstat or run it remotely.
Let’s see both options…
# 1. Getting inside Docker container to run netstat
As a first step, find the Container ID of the container that you want to troubleshoot.
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 0ce7cfb9be37 nginx "/docker-entrypoint.…" 2 minutes ago Up 2 minutes 0.0.0.0:80->80/tcp web-server 4ab8551671d7 nginx "/docker-entrypoint.…" 6 minutes ago Up 6 minutes 80/tcp vigilant_ganguly $
Here the one I want to troubleshoot is the container with ID
0ce7cfb9be37. Now to get a shell (bash) session of this container, use:
$ docker exec -it 0ce7cfb9be37 bash
This should land you in a bash prompt inside the container.
You can install the
netstat package to look for established network connections. By default, these utilities may not be available inside the container.
So to install it, use:
apt update apt install net-tools
Now, we can use the netstat command as usual.
# netstat -an
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 172.17.0.3:80 220.127.116.11:64429 FIN_WAIT2 tcp 0 0 172.17.0.3:80 18.104.22.168:4811 ESTABLISHED tcp 0 0 172.17.0.3:80 22.214.171.124:64430 FIN_WAIT2 tcp 0 0 172.17.0.3:80 126.96.36.199:4810 ESTABLISHED tcp6 0 0 :::80 :::* LISTEN Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 35748 unix 3 [ ] STREAM CONNECTED 35749
As you can see from the above output, established connections with their source and destination addresses are listed. To see processes listening on ports, you can use:
# netstat -tulnp
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1/nginx: master pro tcp6 0 0 :::80 :::* LISTEN 1/nginx: master pro
# 2. Run netstat without getting inside the container
First thing first, we need to get the container ID with the
docker ps command.
[root@relicflare-shared-services ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e5db9a01d4a8 postgres:13.1-alpine "docker-entrypoint.s…" 9 days ago Up 9 days 0.0.0.0:5432->5432/tcp relicflare_server_postgres [root@relicflare-shared-services ~]#
And, then run the docker command as below to find out all the established connections for the container.
docker exec e5db9a01d4a8 netstat |grep ESTABLISHED
This would result something like below.
[root@relicflare-shared-services ~]# docker exec e5db9a01d4a8 netstat | grep ESTABLISHED tcp 0 0 e5db9a01d4a8:postgresql 161.35.XXX.XXX:49128 ESTABLISHED udp 0 0 localhost:48818 localhost:48818 ESTABLISHED [root@relicflare-shared-services ~]#
So the idea is to run the netstat command along with the
docker exec command.
Now you have the required connection details, you can proceed with your troubleshooting by looking further at docker and process logs.