Wireshark

The final forensics application that I containerized as a part of this project, is Wireshark 3.0.1. While the other containers were all built using Ubuntu as a base, the wireshark container is built using the development branch of fedora, Rawhide, because it has the latest version of Wireshark already packaged in its repositories. Wireshark is a graphical application, although it does have a command line implementation called tshark, which is useful in scripts. Similar to the Autopsy container, this requires building the image with specified environment variables so that the container can run as the wireshark user. For a user other than root to be able to capture network traffic on a hardware interface, the /usr/bin/dumpcap binary must be owned by the root user and the group wireshark with linux capabilities CAP_NET_RAW+eip and CAP_NET_ADMIN+eip set.

This can be done manually (as root):

root# chown root:wireshark /usr/bin/dumpcap \
	&& setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

However, fortunately, the default fedora wireshark installation takes care of this automatically, and therefore this does not need to be written into the below Dockerfile.

FROM fedora:rawhide
LABEL maintainer "djds djds@ccs.neu.edu"

RUN dnf upgrade -y && dnf install -y \
    google-noto-sans-fonts google-noto-serif-fonts 
    mesa-dri-drivers mesa-libGL wireshark \

ARG GID
ARG ID
ARG AUDIO

RUN groupdel dialout \
    && groupmod -g "${AUDIO}" audio \
    && useradd -m -g wireshark -G audio,video -u "${ID}" wireshark \
    && mkdir -p /home/wireshark/data \
    && chown -R wireshark:wireshark /home/wireshark \
    && rm -rf /var/cache/dnf/*

WORKDIR /home/wireshark/data

# Run as non privileged user
USER wireshark

ENTRYPOINT ["/usr/bin/wireshark"]

Building the image can be accomplished with the following build script.

#!/bin/bash

set -euo pipefail

REGISTRY="${REGISTRY:-registry.gitlab.com/bghost/docker-forensics/}"

user='djds'
repo='wireshark'
tag=${1:-latest}

# set environment vars
GID="${GID:-$(id -g)}"
AUDIO="${AUDIO:-$(getent group audio | cut -d ':' -f 3)}"
ID="${ID:-$(id -u)}"

# build the container:
docker build \
    --build-arg GID="${GID}" \
    --build-arg ID="${ID}" \
    --build-arg AUDIO="${AUDIO}" \
    -t "${REGISTRY}${user}/${repo}:${tag}" .

if [[ "${PUSH:-}" == "true" ]]; then
    docker push "${REGISTRY}${user}/${repo}:${tag}"
fi

# clean up our host environment
unset {GID,ID,AUDIO}

Wireshark can then be run from the directory containing a pcap/pcapng network capture file, or used to capture on a live interface and run from the location where the file should be saved, using the following script. It is important to note that running Wireshark in a container requires the addition of the --cap-add=NET_ADMIN flag to be able to capture on hardware interfaces, as well as the --net=host flag to avoid being isolated to the default docker0 bridge.

#!/bin/bash

# Use djds/wireshark:latest by default
tag="${1:-latest}"
REGISTRY="${REGISTRY:-registry.gitlab.com/bghost/docker-forensics/}"

docker run --rm -d \
    --cap-add=NET_ADMIN \
    --net=host \
    -c 4 \
    -m 2048M \
    -v /etc/localtime:/etc/localtime:ro \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -v "$(pwd):/home/wireshark/data" \
    -e "DISPLAY=unix${DISPLAY}" \
    --name wireshark \
    "${REGISTRY}djds/wireshark:${tag}"

A built version of this image can be pulled from the GitLab container registry:

$ docker pull registry.gitlab.com/bghost/docker-forensics/djds/wireshark:latest