Inspecting docker activity with socat

Inspecting docker activity with socat

We can’t directly sniff the traffic on it as we don’t really control this socket.

We first create a fake unix socket, say ‘/tmp/socatproxy’

and relay all its traffic to



$ socat -v UNIX-LISTEN;/tmp/socatproxy.sock,fork,reuseaddr

UNIX-CONNECT://var/run/docker.sock &

. In this way, regular interactions remain undisturbed, but the redirect allows socat to inspect traffic.

$ socat -v UNIX-LISTEN:/tmp/socatproxy.sock,fork UNIX-CONNECT:/var/run/docker.sock

-v : writes the traffic to stderr as text in addition to relaying instructions. Some conversions are made for the sake of readability so if certain sequences aren’t being interpreted properly, one could try -x (hex).
UNIX-LISTEN : listen for connections on the unix socket (In our case, /tmp/fake)
fork : create a separate subprocess for handling new connections so the main process may continue listening
UNIX-CONNECT : connect to the specified unix socket (In our case, /var/run/docker.sock)





to list all containers with Docker

$ docker -H unix:///tmp/socatproxy.sock ps -a

Leave a Reply

Your email address will not be published. Required fields are marked *