Docker: any way to list open sockets inside a running docker container?

You can use the nsenter command to run a command on your host inside the network namespace of the Docker container. Just get the PID of your Docker container:

docker inspect -f '{{.State.Pid}}' container_name_or_id

For example, on my system:

$ docker inspect -f '{{.State.Pid}}' c70b53d98466
15652

And once you have the PID, use that as the argument to the target (-t) option of nsenter. For example, to run netstat inside the container network namespace:

$ sudo nsenter -t 15652 -n netstat
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     

Notice that this worked even though the container does not have netstat installed:

$ docker exec -it c70b53d98466 netstat
rpc error: code = 13 desc = invalid header field value "oci runtime error: exec failed: container_linux.go:247: starting container process caused "exec: "netstat": executable file not found in $PATH"n"

(nsenter is part of the util-linux package)

• 1
  Does this solution applicable for other platforms such as windows, mac etc.,?

  – Rao

  Nov 1, 2016 at 6:42
• @Rao, possibly: nsenter is a Linux command, so you would need to be able to log in to the Linux VM that is actually being used to host your Docker containers. And of course, that VM would need to have the nsenter command available.

  – larsks

  Nov 1, 2016 at 11:06
• you may use this snippet to get all netstat for all dockers stackoverflow.com/questions/37171909/…

  – thibault ketterer

  Mar 15, 2018 at 10:16
• On an AWS EKS node, I'm root, but get: sudo nsenter -t 14207 -n netstat returns nsenter: cannot open /proc/14207/ns/net: No such file or directory. I can see the path that it says does not exist but cannot seem to do anything to interrogate it. Has anyone run into this?

  – John Humphreys

  Apr 21, 2021 at 15:59
• nsenter => Permission denied sudo nsenter => bash: sudo: command not found

  – Marc

  Sep 21, 2021 at 18:15

The two commands from @larsks answer merged into one-liner - no need to copy-paste the PID(s) (just replace container_name_or_id):

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat

• Sidenote: one would need to add another sudo so that the command is ... $(sudo docker inspect ..., otherwise the command will fail if it isn't run in a root shell.

  – ascendants

  Jun 11, 2021 at 19:53

If you have iproute2 package installed, you can use

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss

or

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss -ltu

It will show TCP and UDP

If you want them all (all containers) try this.

$ for i in `docker ps -q` ; do sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' $i) -n netstat ; done

I tried the other solutions and it didn't work for me by my colleague gave me this solution. Thought I would mention it here for others like me and for me to refer to later lol.

docker exec -it [container name] bash

grep -v “rem_address” /proc/net/tcp

docker inspect <container_id>

• Look for "ExposedPorts" in "Config"

server:docker container ls

CONTAINER ID    IMAGE              COMMAND                  CREATED          STATUS           PORTS       NAMES

80acfa804b59    admirito/gsad:10   "docker-entrypoint.s…"   18 minutes ago   Up 10 minutes    80/tcp      gvmcontainers_gsad_1

• 3
  this is wrong. this will only five you the ports that either the Dockerimage declared and those that were explicitly exposed (in both cases it doesn't matter if the container process is actually listening...)

  – Martin Rauscher

  Dec 21, 2019 at 13:43