Docker, Network Tools for Debugging

netshoot is like a network diagnostics toolbox in a container.
Great for debugging Docker networking issues without bloating your app containers.
Safe to use and easy to clean up.

The nicolaka/netshoot container is a purpose-built Docker image for network troubleshooting — it’s like a Swiss Army knife for diagnosing container network issues.

What Is netshoot?

Docker: nicolaka/netshoot
Base image: Alpine Linux (lightweight and fast)
Purpose: Gives you a fully-loaded container environment with network troubleshooting tools, ideal for debugging Docker networks, container DNS issues, firewall rules, etc.

🛠️ Tools Included (examples):

netshoot comes preloaded with tools like:

Tool	Purpose
`ping`, `traceroute`	Test basic connectivity and routing
`curl`, `wget`	Test HTTP/HTTPS endpoints
`dig`, `nslookup`	Debug DNS resolution
`netstat`, `ss`	View network sockets and connections
`tcpdump`	Capture and analyze network traffic
`iftop`, `ip`, `route`	Inspect network interfaces and routes
`nc` (netcat)	TCP/UDP connectivity testing
`nmap`	Scan for open ports and services
`iptables`, `nft`	Inspect firewall/NAT rules
`bash`, `sh`	Shell access to run custom scripts

It's ideal when your real containers are too minimal to install anything or when you're trying to debug complex networking setups in Docker, Kubernetes, or multi-container stacks.

How to Run It

To quickly start netshoot with access to your Docker bridge:

docker run --rm -it --network bridge nicolaka/netshoot

You can also attach it to a specific container's network:

docker network inspect <network_name>
docker run --rm -it --network <network_name> nicolaka/netshoot

Or, to connect to a specific container’s network namespace:

docker run --rm -it --net container:<container_name_or_id> nicolaka/netshoot

How to Remove `netshoot`

If you’ve run it with --rm (as shown above), Docker removes the container automatically when it exits — nothing to clean up.

If you want to remove the image (to reclaim disk space):

docker rmi nicolaka/netshoot

You can check if it's downloaded first:

docker images | grep netshoot

Tools included in the `nicolaka/netshoot` container, grouped by functionality so you can quickly understand what’s available and how to use it.

🧰 Network Diagnostic Tools

Tool	Purpose / Example
`ping`	Test reachability to a host (ICMP). `ping 8.8.8.8`
`traceroute`	Trace the route packets take. `traceroute google.com`
`mtr`	Combines `ping` and `traceroute` for live network path monitoring. `mtr -rw google.com`
`netcat` (`nc`)	Test TCP/UDP port availability. `nc -vz 172.17.0.1 5432`
`telnet`	Simple TCP testing (e.g., for raw HTTP or SMTP). `telnet example.com 80`
`nmap`	Port scanning and network exploration. `nmap -p 80,443 example.com`

🌐 HTTP, HTTPS, and Web Tools

Tool	Purpose / Example
`curl`	Fetch content over HTTP/HTTPS. Debug APIs. `curl -i http://localhost:8000`
`wget`	Similar to curl, useful for downloading files or testing HTTP.

📡 DNS Tools

Tool	Purpose / Example
`dig`	Perform detailed DNS lookups. `dig google.com`
`nslookup`	Simple DNS query. `nslookup google.com`
`host`	DNS lookup utility. `host google.com`

🔌 Socket and Connection Inspection

Tool	Purpose / Example
`netstat`	Show open ports and network connections. `netstat -tuln`
`ss`	Replacement for netstat (faster and more modern). `ss -lntp`
`lsof`	List open files, including network sockets. `lsof -i`

🧮 Network Interface & Traffic Monitoring

Tool	Purpose / Example
`ip`	Show IP addresses, routes, and interfaces. `ip a`, `ip r`
`route`	View or manipulate IP routing table. `route -n`
`ifconfig`	Legacy tool to view interfaces (use `ip` instead if possible).
`ethtool`	View Ethernet interface stats and features.
`iftop`	Real-time traffic usage per connection.
`nethogs`	Show bandwidth per process (like `top` but for network).
`bmon`	Bandwidth monitor (graphical console UI).

📦 Packet Sniffing & Debugging

Tool	Purpose / Example
`tcpdump`	Capture and inspect network packets. `tcpdump -i eth0 port 5432`
`wireshark`	Not in netshoot itself, but `tcpdump` can write PCAP files for Wireshark: `tcpdump -i eth0 -w /tmp/trace.pcap`

🔒 Firewall & Security

Tool	Purpose / Example
`iptables`	View and manage Linux firewall rules. `iptables -L -n -v`
`nft`	Newer firewall framework (successor to iptables). `nft list ruleset`
`ipset`	Manage IP sets for dynamic firewall rules.
`conntrack`	Track and inspect NATed connections.

🧰 Other Utilities

Tool	Purpose
`bash`, `sh`	Shell access to run scripts
`jq`	JSON processor (great for API output)
`strace`	Trace system calls from a command (e.g., see why DNS fails)
`curl`, `wget`, `ping`, `nc`	All useful in Docker and Kubernetes troubleshooting

📦 Container/Kubernetes Tools

Some versions of netshoot also include:

Tool	Purpose
`kubectl`	Interact with Kubernetes clusters
`docker`	Optional; if mounted from host, can inspect Docker from inside
`nsenter`, `ip netns`	Enter namespaces of other containers for deep inspection

🧹 Clean-Up / Exit

Just run it with --rm, and it disappears on exit:

docker run --rm -it --network bridge nicolaka/netshoot

Exit with Ctrl+D or type exit.

snippet.cpp

by:
▖     ▘▖▖
▌ ▌▌▛▘▌▙▌
▙▖▙▌▙▖▌ ▌
 
published: June 17 2025.