Capturing Traffic from the Host Systemedit

By default, Docker networking will connect the Packetbeat container to an isolated virtual network, with a limited view of network traffic. You may wish to connect the container directly to the host network in order to see traffic destined for, and originating from, the host system. With docker run, this can be achieved by specifying --network=host.

docker run --cap-add=NET_ADMIN --network=host docker.elastic.co/beats/packetbeat:5.4.3

On Windows and MacOS, specifying --network=host will bind the container’s network interface to the virtual interface of Docker’s embedded Linux virtual machine, not to the physical interface of the host system.