Jay Taylor's notes

back to listing index

netstat - Docker: any way to list open sockets inside a running docker container? - Stack Overflow

[web search]
Original source (stackoverflow.com)
Tags: linux containers howto docker nsenter stackoverflow.com
Clipped on: 2022-08-17

  1. Home
    1. Public
    2. Questions
    3. Tags
    4. Users
    5. Companies
    6. Collectives
    7. Explore Collectives
    1. Teams
      Stack Overflow for Teams – Start collaborating and sharing organizational knowledge. Create a free Team Why Teams?
Asked 5 years, 9 months ago
Modified 6 months ago
Viewed 91k times

I would like to execute netstat inside a running docker container to see open TCP sockets and their statuses. But, on some of my docker containers, netstat is not available. Is there any way to get open sockets (and their statuses, and which IP addresses they are connected to if any) without using netstat, via some docker API? (BTW, my container uses docker-proxy - that is, not directly bridged)

I guess I could look at /proc file system directly, but at that point, I might as well docker cp netstat into the container and execute it. I was wondering if there was any facility that docker might provide for this.

asked Oct 31, 2016 at 20:56
2,86222 gold badges2323 silver badges1515 bronze badges

7 Answers

Sorted by:

You can use the nsenter command to run a command on your host inside the network namespace of the Docker container. Just get the PID of your Docker container:

docker inspect -f '{{.State.Pid}}' container_name_or_id

For example, on my system:

$ docker inspect -f '{{.State.Pid}}' c70b53d98466

And once you have the PID, use that as the argument to the target (-t) option of nsenter. For example, to run netstat inside the container network namespace:

$ sudo nsenter -t 15652 -n netstat
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0    *               LISTEN     

Notice that this worked even though the container does not have netstat installed:

$ docker exec -it c70b53d98466 netstat
rpc error: code = 13 desc = invalid header field value "oci runtime error: exec failed: container_linux.go:247: starting container process caused "exec: "netstat": executable file not found in $PATH"n"

(nsenter is part of the util-linux package)

answered Oct 31, 2016 at 23:22
237k3737 gold badges355355 silver badges345345 bronze badges

The two commands from @larsks answer merged into one-liner - no need to copy-paste the PID(s) (just replace container_name_or_id):

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat
answered Nov 6, 2018 at 22:03
72866 silver badges99 bronze badges
  • Sidenote: one would need to add another sudo so that the command is ... $(sudo docker inspect ..., otherwise the command will fail if it isn't run in a root shell.
    – ascendants
    Jun 11, 2021 at 19:53

If you have iproute2 package installed, you can use

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss


sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss -ltu

It will show TCP and UDP

1,25211 gold badge1010 silver badges2121 bronze badges
answered Feb 2, 2021 at 19:35
Yogesh Yadav
4,07966 gold badges2929 silver badges3838 bronze badges

If you want them all (all containers) try this.

$ for i in `docker ps -q` ; do sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' $i) -n netstat ; done
answered Sep 8, 2021 at 15:39
Don Richards
2133 bronze badges

I tried the other solutions and it didn't work for me by my colleague gave me this solution. Thought I would mention it here for others like me and for me to refer to later lol.

docker exec -it [container name] bash

grep -v “rem_address” /proc/net/tcp

answered Nov 5, 2021 at 13:54
1721111 bronze badges

docker inspect <container_id>

  • Look for "ExposedPorts" in "Config"
Stephen O'Flynn
2,2492424 silver badges3434 bronze badges
answered Feb 15 at 0:22

server:docker container ls

CONTAINER ID    IMAGE              COMMAND                  CREATED          STATUS           PORTS       NAMES

80acfa804b59    admirito/gsad:10   "docker-entrypoint.s…"   18 minutes ago   Up 10 minutes    80/tcp      gvmcontainers_gsad_1
32.1k88 gold badges5555 silver badges7878 bronze badges
answered Jun 27, 2019 at 9:10
  • 3
    this is wrong. this will only five you the ports that either the Dockerimage declared and those that were explicitly exposed (in both cases it doesn't matter if the container process is actually listening...) Dec 21, 2019 at 13:43

Your Answer

Community wiki

Not the answer you're looking for? Browse other questions tagged or ask your own question.

Love this site?

Get the weekly newsletter! In it, you'll get:

  • The week's top questions and answers
  • Important community announcements
  • Questions that need answers

see an example newsletter

Hot Network Questions