[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-9873":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":33,"readmeContent":34,"aiSummary":35,"trendingCount":16,"starSnapshotCount":16,"syncStatus":36,"lastSyncTime":37,"discoverSource":38},9873,"netshoot","nicolaka\u002Fnetshoot","nicolaka","a Docker + Kubernetes network trouble-shooting swiss-army container","",null,"Shell",10770,1090,124,24,0,6,32,104,29,44.11,"Apache License 2.0",false,"master",true,[27,28,29,30,31,32],"containers","docker","kubernetes","network","network-namespace","troubleshooting","2026-06-12 02:02:13","## netshoot: a Docker + Kubernetes network trouble-shooting swiss-army container\n\n```\n                    dP            dP                           dP\n                    88            88                           88\n88d888b. .d8888b. d8888P .d8888b. 88d888b. .d8888b. .d8888b. d8888P\n88'  `88 88ooood8   88   Y8ooooo. 88'  `88 88'  `88 88'  `88   88\n88    88 88.  ...   88         88 88    88 88.  .88 88.  .88   88\ndP    dP `88888P'   dP   `88888P' dP    dP `88888P' `88888P'   dP\n```\n\n**Purpose:** Docker and Kubernetes network troubleshooting can become complex. With proper understanding of how Docker and Kubernetes networking works and the right set of tools, you can troubleshoot and resolve these networking issues. The `netshoot` container has a set of powerful networking troubleshooting tools that can be used to troubleshoot Docker networking issues. Along with these tools come a set of use-cases that show how this container can be used in real-world scenarios.\n\n**Network Namespaces:** Before starting to use this tool, it's important to go over one key topic: **Network Namespaces**. Network namespaces provide isolation of the system resources associated with networking. Docker uses network and other type of namespaces (`pid`,`mount`,`user`..etc) to create an isolated environment for each container. Everything from interfaces, routes, and IPs is completely isolated within the network namespace of the container. \n\nKubernetes also uses network namespaces. Kubelets creates a network namespace per pod where all containers in that pod share that same network namespace (eths,IP, tcp sockets...etc). This is a key difference between Docker containers and Kubernetes pods.\n\nCool thing about namespaces is that you can switch between them. You can enter a different container's network namespace, perform some troubleshooting on its network's stack with tools that aren't even installed on that container. Additionally, `netshoot` can be used to troubleshoot the host itself by using the host's network namespace. This allows you to perform any troubleshooting without installing any new packages directly on the host or your application's package. \n\n## Netshoot with Docker \n\n* **Container's Network Namespace:** If you're having networking issues with your application's container, you can launch `netshoot` with that container's network namespace like this:\n\n    `$ docker run -it --net container:\u003Ccontainer_name> nicolaka\u002Fnetshoot`\n\n* **Host's Network Namespace:** If you think the networking issue is on the host itself, you can launch `netshoot` with that host's network namespace:\n\n    `$ docker run -it --net host nicolaka\u002Fnetshoot`\n\n* **Network's Network Namespace:** If you want to troubleshoot a Docker network, you can enter the network's namespace using `nsenter`. This is explained in the `nsenter` section below.\n\n## Netshoot with Docker Compose\n\nYou can easily deploy `netshoot` using Docker Compose using something like this:\n\n```\nversion: \"3.6\"\nservices:\n  tcpdump:\n    image: nicolaka\u002Fnetshoot\n    depends_on:\n      - nginx\n    command: tcpdump -i eth0 -w \u002Fdata\u002Fnginx.pcap\n    network_mode: service:nginx\n    volumes:\n      - $PWD\u002Fdata:\u002Fdata\n\n  nginx:\n    image: nginx:alpine\n    ports:\n      - 80:80\n```\n\n## Netshoot with Kubernetes\n\n* if you want to debug using an [ephemeral container](https:\u002F\u002Fkubernetes.io\u002Fdocs\u002Ftasks\u002Fdebug\u002Fdebug-application\u002Fdebug-running-pod\u002F#ephemeral-container-example) in an existing pod:\n\n    `$ kubectl debug mypod -it --image=nicolaka\u002Fnetshoot`\n\n* if you want to spin up a throw away pod for debugging.\n\n    `$ kubectl run tmp-shell --rm -i --tty --image nicolaka\u002Fnetshoot`\n\n* if you want to spin up a container on the host's network namespace.\n\n    `$ kubectl run tmp-shell --rm -i --tty --overrides='{\"spec\": {\"hostNetwork\": true}}'  --image nicolaka\u002Fnetshoot`\n\n* if you want to use netshoot as a sidecar container to troubleshoot your application container\n ```yaml\n# netshoot-sidecar.yaml\n---\napiVersion: apps\u002Fv1\nkind: Deployment\nmetadata:\n  name: nginx-netshoot\n  labels:\n    app: nginx-netshoot\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: nginx-netshoot\n  template:\n    metadata:\n      labels:\n        app: nginx-netshoot\n    spec:\n      containers:\n        - name: nginx\n          image: nginx:1.14.2\n          ports:\n            - containerPort: 80\n        - name: netshoot\n          image: nicolaka\u002Fnetshoot\n          command: [\"\u002Fbin\u002Fbash\"]\n          args: [\"-c\", \"while true; do ping localhost; sleep 60;done\"]\n ```\n\n ```bash\n$ kubectl apply -f netshoot-sidecar.yaml\ndeployment.apps\u002Fnginx-netshoot created\n\n$ kubectl get pod\nNAME                              READY   STATUS    RESTARTS   AGE\nnginx-netshoot-7f9c6957f8-kr8q6   2\u002F2     Running   0          4m27s\n\n$ kubectl exec -it nginx-netshoot-7f9c6957f8-kr8q6 -c netshoot -- \u002Fbin\u002Fzsh\n                    dP            dP                           dP\n                    88            88                           88\n88d888b. .d8888b. d8888P .d8888b. 88d888b. .d8888b. .d8888b. d8888P\n88'  `88 88ooood8   88   Y8ooooo. 88'  `88 88'  `88 88'  `88   88\n88    88 88.  ...   88         88 88    88 88.  .88 88.  .88   88\ndP    dP `88888P'   dP   `88888P' dP    dP `88888P' `88888P'   dP\n\nWelcome to Netshoot! (github.com\u002Fnicolaka\u002Fnetshoot)\n\nnginx-netshoot-7f9c6957f8-kr8q6 $ \n ```\n\n## The netshoot kubectl plugin\n\nTo easily troubleshoot networking issues in your k8s environment, you can leverage the [Netshoot Kubectl Plugin](https:\u002F\u002Fgithub.com\u002Fnilic\u002Fkubectl-netshoot) (shout out to Nebojsa Ilic for creating it!). Using this kubectl plugin, you can easily create ephemeral `netshoot` containers to troubleshoot existing pods, k8s controller or worker nodes. To install the plugin, follow [these steps](https:\u002F\u002Fgithub.com\u002Fnilic\u002Fkubectl-netshoot#installation).\n\nSample Usage:\n\n```\n# spin up a throwaway pod for troubleshooting\nkubectl netshoot run tmp-shell\n\n# debug using an ephemeral container in an existing pod\nkubectl netshoot debug my-existing-pod\n\n# create a debug session on a node\nkubectl netshoot debug node\u002Fmy-node\n```\n\n\n\n**Network Problems** \n\nMany network issues could result in application performance degradation. Some of those issues could be related to the underlying networking infrastructure(underlay). Others could be related to misconfiguration at the host or Docker level. Let's take a look at common networking issues:\n\n* latency\n* routing \n* DNS resolution\n* firewall \n* incomplete ARPs\n\nTo troubleshoot these issues, `netshoot` includes a set of powerful tools as recommended by this diagram. \n\n![](http:\u002F\u002Fwww.brendangregg.com\u002FPerf\u002Flinux_observability_tools.png)\n\n\n**Included Packages:** The following packages and binaries are included in `netshoot`:\n\n    apache2-utils \\\n    bash \\\n    bind-tools \\\n    bird \\\n    bridge-utils \\\n    busybox-extras \\\n    conntrack-tools \\\n    curl \\\n    dhcping \\\n    drill \\\n    ethtool \\\n    file \\\n    fping \\\n    iftop \\\n    iperf \\\n    iperf3 \\\n    iproute2 \\\n    ipset \\\n    iptables \\\n    iptraf-ng \\\n    iputils \\\n    ipvsadm \\\n    httpie \\\n    jq \\\n    libc6-compat \\\n    liboping \\\n    ltrace \\\n    mtr \\\n    net-snmp-tools \\\n    netcat-openbsd \\\n    nftables \\\n    ngrep \\\n    nmap \\\n    nmap-nping \\\n    nmap-scripts \\\n    openssl \\\n    py3-pip \\\n    py3-setuptools \\\n    scapy \\\n    socat \\\n    speedtest-cli \\\n    openssh \\\n    oh-my-zsh \\\n    strace \\\n    tcpdump \\\n    tcptraceroute \\\n    trippy \\\n    tshark \\\n    util-linux \\\n    vim \\\n    git \\\n    zsh \\\n    websocat \\\n    swaks \\\n    perl-crypt-ssleay \\\n    perl-net-ssleay\n\nAdditionally, the following binaries are included:\n\n    ctop\n    calicoctl\n    termshark\n    grpcurl\n    fortio\n\n## **Sample Use-cases**\n\n### iperf\n\nPurpose: test networking performance between two containers\u002Fhosts.\n\nExample:\n\n```\n$ docker network create -d bridge perf-test\n$ docker run -d --rm --net perf-test --name perf-test-a nicolaka\u002Fnetshoot iperf -s -p 9999\n$ docker run -it --rm --net perf-test --name perf-test-b nicolaka\u002Fnetshoot iperf -c perf-test-a -p 9999\n```\n\n### tcpdump\n\n**tcpdump** is a powerful and common packet analyzer that runs under the command line. It allows the user to display TCP\u002FIP and other packets being transmitted or received over an attached network interface.\n\n```\n$ docker run -it --net container:perf-test-a nicolaka\u002Fnetshoot\n\u002F # tcpdump -i eth0 port 9999 -c 1 -Xvv\n```\n\n### netstat\n\nPurpose: `netstat` is a useful tool for checking your network configuration and activity.\n\n```\n$ docker run -it --net container:perf-test-a nicolaka\u002Fnetshoot\n\u002F # netstat -tulpn\n```\n\n### nmap\n\n`nmap` (\"Network Mapper\") is an open source tool for network exploration and security auditing. It is very useful for scanning to see which ports are open between a given set of hosts.\n\n```\n$ docker run -it --privileged nicolaka\u002Fnetshoot nmap -p 12376-12390 -dd 172.31.24.25\n```\n\n### iftop\n\nPurpose: iftop does for network usage what top does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts.\n\n```\n$ docker run -it --net container:perf-test-a nicolaka\u002Fnetshoot iftop -i eth0\n```\n\n### drill\n\nPurpose: drill is a tool to designed to get all sorts of information out of the DNS.\n\n```\n$ docker run -it --net container:perf-test-a nicolaka\u002Fnetshoot drill -V 5 perf-test-b\n```\n\n### netcat\n\nPurpose: a simple Unix utility that reads and writes data across network connections, using the TCP or UDP protocol. It's useful for testing and troubleshooting TCP\u002FUDP connections. `netcat` can be used to detect if there's a firewall rule blocking certain ports.\n\n```\n$ docker network create -d bridge my-br\n$ docker run -d --rm --net my-br --name service-a nicolaka\u002Fnetshoot nc -l 8080\n$ docker run -it --rm --net my-br --name service-b nicolaka\u002Fnetshoot nc -vz service-a 8080\n```\n\n### iproute2\n\nPurpose: a collection of utilities for controlling TCP \u002F IP networking and traffic control in Linux.\n\n```\n$ docker run -it --net host nicolaka\u002Fnetshoot\n\u002F # ip route show\n\u002F # ip neigh show\n```\n\n### nsenter\n\nPurpose: `nsenter` is a powerful tool allowing you to enter into any namespaces. `nsenter` is available inside `netshoot` but requires `netshoot` to be run as a privileged container. Additionally, you may want to mount the `\u002Fvar\u002Frun\u002Fdocker\u002Fnetns` directory to be able to enter any network namespace including bridge networks.\n\n```\n$ docker run -it --rm -v \u002Fvar\u002Frun\u002Fdocker\u002Fnetns:\u002Fvar\u002Frun\u002Fdocker\u002Fnetns --privileged=true nicolaka\u002Fnetshoot\n\u002F # cd \u002Fvar\u002Frun\u002Fdocker\u002Fnetns\u002F\n\u002Fvar\u002Frun\u002Fdocker\u002Fnetns # ls\n\u002F # nsenter --net=\u002Fvar\u002Frun\u002Fdocker\u002Fnetns\u002F\u003Cnamespace> sh\n```\n\n### CTOP\n\nctop is a free open source, simple and cross-platform top-like command-line tool for monitoring container metrics in real-time. It allows you to get an overview of metrics concerning CPU, memory, network, I\u002FO for multiple containers and also supports inspection of a specific container.\n\n```\n$ docker run -it --rm -v \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock nicolaka\u002Fnetshoot ctop\n```\n\n### Termshark\n\nTermshark is a terminal user-interface for tshark. It allows user to read pcap files or sniff live interfaces with Wireshark's display filters.\n\n```\n$ docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it nicolaka\u002Fnetshoot termshark -i eth0 icmp\n$ docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -v \u002Ftmp\u002Fipv4frags.pcap:\u002Ftmp\u002Fipv4frags.pcap -it nicolaka\u002Fnetshoot termshark -r \u002Ftmp\u002Fipv4frags.pcap\n```\n\n### Swaks\n\nSwaks (Swiss Army Knife for SMTP) is a featureful, flexible, scriptable, transaction-oriented SMTP test tool. It is free to use and licensed under the GNU GPLv2.\n\n```\nswaks --to user@example.com \\\n  --from fred@example.com --h-From: '\"Fred Example\" \u003Cfred@example.com>' \\\n  --auth CRAM-MD5 --auth-user me@example.com \\\n  --header-X-Test \"test email\" \\\n  --tls \\\n  --data \"Example body\"\n```\n\n### Grpcurl\n\ngrpcurl is a command-line tool that lets you interact with gRPC servers. It's basically curl for gRPC servers.\n\n```\ngrpcurl grpc.server.com:443 my.custom.server.Service\u002FMethod\n# no TLS\ngrpcurl -plaintext grpc.server.com:80 my.custom.server.Service\u002FMethod\n```\n\n### Fortio\n\nFortio is a fast, small, reusable, embeddable go library as well as a command line tool and server process, the server includes a simple web UI and REST API to trigger run and see graphical representation of the results.\n\n```\n$ fortio load http:\u002F\u002Fwww.google.com\n```\n\n## Contribution\n\nFeel free to contribute networking troubleshooting tools and use-cases by opening PRs. If you would like to add any package, please follow these steps:\n\n* In the PR, please include some rationale as to why this tool is useful to be included in netshoot. \n     > Note: If the functionality of the tool is already addressed by an existing tool, I might not accept the PR\n* Change the Dockerfile to include the new package\u002Ftool\n* If you're building the tool from source, make sure you leverage the multi-stage build process and update the `build\u002Ffetch_binaries.sh` script \n* Update the README's list of included packages AND include a section on how to use the tool\n* If the tool you're adding supports multi-platform, please make sure you highlight that.\n\n\n","netshoot 是一个专为 Docker 和 Kubernetes 网络故障排查设计的多功能容器。它集成了多种强大的网络诊断工具，如 tcpdump、nslookup 等，支持用户在容器或宿主机的网络命名空间中执行命令，无需在目标环境中安装额外软件。该项目特别适用于需要深入理解并解决容器化应用间通信问题的情况，无论是单个 Docker 容器还是复杂的 Kubernetes 集群环境下的 Pod 间通信问题都能得到有效处理。通过利用 Linux 的网络命名空间特性，netshoot 允许操作者以非侵入方式检查和调试网络配置与状态，极大提升了云原生架构下的运维效率。",2,"2026-06-11 03:25:09","top_topic"]