TCP connections which do not show up with lsof, ss or netstat

There is a docker container running on one of the active HTB machines.

In this docker container I have a socat shell running as root. With ss -tunap I can see socat connect to my Kali VM and in my Kali VM I can see the connection with lsof -i -P.

However, on the HTB machine itself (I got root on that machine by now) I can’t see the socat-communication neither with lsof nor with ss. As far as I know, lsof and ss get their information from the /proc virtual file system. And a docker container uses the same kernel as its host. I could understand this issue if a process in a VM connects with third parties via TCP since it uses it’s own kernel. However, shouldn’t we at least be able to observe docker-proxy, vm-gateway or something similiar connecting to other machines?

Would be interesting to hear from someone with more insight.

nobody any idea?

ss -s
just gives us a summary.

Take three terminal sessions, in the first one run a watch 'lsof -i -P' and in the other two run nmap -p- 10.10.10.x and masscan p1-65535 10.10.10.x -e tun0, respectively. You will notice the difference. It is not about unprecise or unreliable output.

For masscan the solution is easy, I wonder why we do not see tcp/udp connections established from a docker container or a VM.

Yeah, tcpdump or wireshark will show all traffic unless filtered.

My question remains: WHY do lsof, netstat and ss run on the host do not display a container’s or a VM’s network-connections?

btw, doesn’t matter if you use nc, socat, ssh or whatever… for masscan the answer is easy.

I did a little research and would like to provide the following answers:

  1. masscan uses it’s own network-stack, so the linux-kernel is not involved besides granting permissions to the device
  2. a VM uses it’s own kernel and a virtual network device. The latter is bridged in one way or another, depending on the setup, to the network-device of the host.
  3. a docker-container uses the same kernel but probably its network-connections are located at a different place of the /proc-virtual-filesystem than usual.

Especially the last point involves a little bit of speculation, so please don’t rely on that and don’t nail me down on that. Further input is welcomed. If you know where to look in /proc you are my man (or woman).

Can you tell me a machine, preferable retired, wher I can see this issue? Then I can take a look later today.

You could setup JuiceShop as a docker container and ssh into it. Ssh from host to container will show up with netstat, ss and lsof running on the host.

When you ssh from your JuiceShop-container to another machine, i.e. you have a root-server running somewhere, you will see that traffic with netstat, ss and lsof on your root-server and in your docker-container, but not on your host.