Learn packet analysis with challenging Wireshark labs (+25 advanced PCAP case-studies) !
Info·

How to build Wireshark tools in a docker container

Use cases for Wireshark in Docker

For PacketSafari, we run a modified and dockerized version of Wireshark. Under Wireshark licensing we publish the source code of our patches in this git repository.

Our use case is to interact with tools like tshark, editcap, and most importantly sharkd. We have invented a unique proxy tool that allows us to interact with tools more scalable manner and integrate them into a web application called PacketSafari Analyzer.

The build process is structured in multiple steps. We build one Docker container for compilation purposes and then copy the resulting binaries in a leaner production container that does not contain all the unnecessary layers used by the build process.

The docker file

Multi-stage builds are an excellent way to stack previously built images and adapt them. The following code is in one Dockerfile, but we split it into sections for readability.

FROM ubuntu:latest AS wireshark-tools-base-build
RUN sed -i -e 's/http:\/\/archive\.ubuntu\.com\/ubuntu\//http:\/\/ftp.udc.es\/ubuntu\//' /etc/apt/sources.list
RUN sed -i -e 's/http:\/\/security\.ubuntu\.com\/ubuntu\//http:\/\/ftp.udc.es\/ubuntu\//' /etc/apt/sources.list
RUN apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y wget git libc-ares-dev libc-dev libglib2.0-dev libgcrypt-dev cmake bison flex gdb gdbserver netcat libpcap-dev libgnutls28-dev libsmi2-dev libmaxminddb-dev liblua5.3-dev build-essential
RUN mkdir /src
WORKDIR /src
RUN git clone https://github.com/oripka/wireshark.git
WORKDIR /src/wireshark
RUN git fetch
RUN git checkout waveanalyzer-3.6.2
RUN mkdir build
WORKDIR build
RUN cmake -DBUILD_wireshark=OFF -DBUILD_tshark=ON -DBUILD_dumpcap=OFF -DBUILD_androiddump=OFF ../
# RUN cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_wireshark=OFF -DBUILD_tshark=ON -DBUILD_dumpcap=OFF -DBUILD_androiddump=OFF ../
RUN make -j 9
WORKDIR /src/wireshark/build

Here we build our custom version of Wireshark from git. Optionally one can uncomment the cmake line to compile the binaries with debugging support.

A little trick using ADD helps rebuild the container when a new commit is pushed to the git repository. Like this, we do not need to rebuild the whole container and can build upon the first stage, allowing us to do incremental rebuilds. We also add some example PCAPs that enable us to do reproducible testing of the build.

### WIRESHARK TOOLS BUILDER
###
# quicker build of updated wireshark tools
# docker build --target wireshark-tools-builder -f .\Dockerfile.buildimage .
FROM wireshark-tools-base-build AS wireshark-tools-builder
ADD https://api.github.com/repos/oripka/wireshark/git/refs/heads/waveanalyzer-3.6.2 version.json
RUN git pull
RUN make -j 9
RUN rm -rf wireshark
RUN mkdir wireshark
RUN cp -a run/* wireshark
RUN tar cvf wireshark.tar wireshark
# Copy over some default pcaps, useful for testing
RUN mkdir /pcaps
COPY ./wave-backend/waveanalyzer/rsrc/pcaps/*.pcapng /pcaps/
COPY ./wave-backend/waveanalyzer/rsrc/pcaps/*.pcap /pcaps/

In the third part, we repurpose the wireshark.tar file and add it to a clean image that can be orchestrated to run our application. The main point is the line COPY --from=wireshark-tools-builder that imports the necessary files. All the other commands install the required packages and deploy the application into the correct folders.

### WIRESHARK TOOLS PRODUCTION
###
# copy built binaries over and put it into a minimal base image
FROM ubuntu:latest AS wireshark-tools-production
RUN sed -i -e 's/http:\/\/archive\.ubuntu\.com\/ubuntu\//http:\/\/ftp.udc.es\/ubuntu\//' /etc/apt/sources.list
RUN sed -i -e 's/http:\/\/security\.ubuntu\.com\/ubuntu\//http:\/\/ftp.udc.es\/ubuntu\//' /etc/apt/sources.list
RUN apt-get update && apt-get install -y libglib2.0-0 libpcap0.8 libsmi2ldbl libc-ares2 libmaxminddb0
# START WIRESHARK TOOLING
WORKDIR /
COPY --from=wireshark-tools-builder /src/wireshark/build/wireshark.tar /
COPY ./wave-backend/GeoIP /var/lib/GeoIP
RUN tar xvf wireshark.tar
RUN rm wireshark.tar
COPY ./wave-backend/default_colorrules_wireshark /src/wireshark/default_colorrules_wireshark
WORKDIR wireshark
RUN cp /wireshark/lib* /usr/lib
RUN cp /wireshark/tshark /usr/bin
RUN cp /wireshark/sharkd /usr/bin
RUN cp /wireshark/editcap /usr/bin
RUN cp /wireshark/capinfos /usr/bin
RUN cp /wireshark/mmdbresolve /usr/bin
RUN mkdir /usr/local/share/wireshark 
WORKDIR /usr/local/share/wireshark/
RUN ln -s /wireshark/manuf
RUN ln -s /wireshark/services
WORKDIR /wireshark

The final step is to run a Wireshark tool like sharkd inside the container.

FROM wireshark-tools-production AS sharkd-production
WORKDIR /wireshark
RUN useradd -u 4242 sharkdu
RUN groupadd -g 4141 sharkdg
USER sharkdu
EXPOSE 4446
ENTRYPOINT /usr/bin/sharkd tcp:0.0.0.0:4446

Finally, we start the build process using the docker command within the same directory as the Dockerfile:

docker build --target sharkd-production -t sharkd .

Here you can find the entire Dockerfile.