netshoot

Netshoot is a container image packed with networking diagnostic tools, designed to help troubleshoot connectivity problems in Docker and Kubernetes environments. Rather than installing debugging utilities directly onto your running application containers or servers, you spin up a netshoot container temporarily, use it to investigate the problem, then discard it.

The core idea relies on how Linux network namespaces work. Each Docker container and each Kubernetes pod has its own isolated network environment, but you can attach a running container to share that same network environment. This means netshoot can see exactly the same network interfaces, routes, and connections that your application container sees, letting you run tests from inside its perspective without modifying your application at all.

The tool list included in the image covers most network debugging tasks: tcpdump for capturing raw traffic, iperf and iperf3 for measuring throughput between two points, nmap for port scanning, mtr for tracing routes and measuring latency, curl and httpie for testing HTTP endpoints, dig and drill for DNS lookups, iptables for inspecting firewall rules, netcat for testing raw connections, and several dozen more. Tools like tshark and termshark provide a terminal-based packet analysis experience. Scapy is there for crafting custom network packets when standard tools are not enough.

With Kubernetes, you can attach netshoot as an ephemeral debug container to an already-running pod, spin it up as a standalone throwaway pod, or run it on a node's host network. A kubectl plugin called kubectl-netshoot wraps these patterns into shorter commands. In Docker, you launch it with --net container:name to share a specific container's network stack, or with --net host to inspect the machine's own network.

Netshoot is maintained as a community project and is published as a public container image that can be pulled and used immediately with no installation beyond Docker or kubectl.