[GH-ISSUE #2619] Add a monitoring option to capture network traffic to a file #1661

New issue

Open

opened 2026-05-05 08:18:35 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 08:18:35 -06:00

Owner

Originally created by @ghost on GitHub (Mar 26, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2619

It would be very useful to be able to capture the network traffic of a sandbox.

The existing functionality can only do this if the app does not need to talk to localhost. E.g:

virtual_ip=10.10.20.20; # must be on the subnet
# grab all non-tor packets to look for leaks:
sudo -b /usr/sbin/tcpdump -n -f -p -i eth0 not arp and not host "$tor_guard_node_IP" and src host "$virtual_ip" -w "${logfile}"
pid_tcpdump=$!
firejail --net=eth0 --ip="$virtual_ip" lynx https://searx.me
sudo kill "$pid_tcpdump"

^ that works because lynx does not access localhost. Tor is not used so every packet is captured.

But in a realistic scenario, lynx needs to proxy through tor via the localhost proxy server:

virtual_ip=10.10.20.20; # must be on the subnet
# grab all non-tor packets to detect leaks:
sudo -b /usr/sbin/tcpdump -n -f -p -i eth0 not arp and not host "$tor_guard_node_IP" and src host "$virtual_ip" -w "${logfile}"
pid_tcpdump=$!
firejail --net=eth0 --ip="$virtual_ip"\
  --env=http_proxy=http://10.10.20.19:8118\
  --env=https_proxy=https://10.10.20.19:8118\
  lynx https://searx.me
sudo kill "$pid_tcpdump"

That fails because the network namespace prevents access to the local proxy host. This means --net=eth0 --ip="$virtual_ip" must be omitted. But then that omission loses the benefit of tcpdump filtering by IP, ultimately making it difficult to separate the firejail traffic from all the other localhost traffic.

Originally created by @ghost on GitHub (Mar 26, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2619 It would be very useful to be able to capture the network traffic of a sandbox. The existing functionality can only do this if the app does not need to talk to localhost. E.g: ``` virtual_ip=10.10.20.20; # must be on the subnet # grab all non-tor packets to look for leaks: sudo -b /usr/sbin/tcpdump -n -f -p -i eth0 not arp and not host "$tor_guard_node_IP" and src host "$virtual_ip" -w "${logfile}" pid_tcpdump=$! firejail --net=eth0 --ip="$virtual_ip" lynx https://searx.me sudo kill "$pid_tcpdump" ``` ^ that works because `lynx` does not access *localhost*. Tor is not used so every packet is captured. But in a realistic scenario, `lynx` needs to proxy through tor via the localhost proxy server: ``` virtual_ip=10.10.20.20; # must be on the subnet # grab all non-tor packets to detect leaks: sudo -b /usr/sbin/tcpdump -n -f -p -i eth0 not arp and not host "$tor_guard_node_IP" and src host "$virtual_ip" -w "${logfile}" pid_tcpdump=$! firejail --net=eth0 --ip="$virtual_ip"\ --env=http_proxy=http://10.10.20.19:8118\ --env=https_proxy=https://10.10.20.19:8118\ lynx https://searx.me sudo kill "$pid_tcpdump" ``` That fails because the network namespace prevents access to the local proxy host. This means `--net=eth0 --ip="$virtual_ip"` must be omitted. But then that omission loses the benefit of tcpdump filtering by IP, ultimately making it difficult to separate the firejail traffic from all the other localhost traffic.

gitea-mirror added the

enhancement

networking

labels 2026-05-05 08:18:35 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1661

No description provided.

Rows
Columns