dnet: Failed to open device docker0

[CaledoniaProject]

Hi there, I'm unable to scan a docker container on a Ubuntu 20.04 host:

# snap install nmap
# nmap -sT 172.17.0.2 -p161 -A -sC
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-03 08:27 CST
dnet: Failed to open device docker0
QUITTING!

# nmap --version
Nmap version 7.92 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1 libssh2-1.8.0 libz-1.2.11 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

# nmap --iflist
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-03 08:26 CST
************************INTERFACES************************
DEV         (SHORT)       IP/MASK                     TYPE     UP MTU   MAC
eth0        (eth0)        10.10.10.10/24              ethernet up 1500  XX:79
eth0        (eth0)        fe80::f827:ff:fe07:f279/64  ethernet up 1500  XX:79
docker0     (docker0)     172.17.0.1/16               ethernet up 1500  YY:2E
docker0     (docker0)     fe80::42:5cff:feee:b2e/64   ethernet up 1500  YY:2E
veth0a6e0d2 (veth0a6e0d2) (none)/0                    ethernet up 1500  ZZ:F7
veth0a6e0d2 (veth0a6e0d2) fe80::e081:30ff:fe85:af7/64 ethernet up 1500  ZZ:F7
lo          (lo)          127.0.0.1/8                 loopback up 65536
lo          (lo)          ::1/128                     loopback up 65536

**************************ROUTES**************************
DST/MASK                     DEV         METRIC GATEWAY
169.254.169.254/32           eth0        100    10.10.10.2
10.10.10.0/24                eth0        0
172.17.0.0/16                docker0     0
0.0.0.0/0                    eth0        100    10.10.10.1
::1/128                      lo          0
fe80::42:5cff:feee:b2e/128   docker0     0
fe80::e081:30ff:fe85:af7/128 veth0a6e0d2 0
fe80::f827:ff:fe07:f279/128  eth0        0
::1/128                      lo          256
fe80::/64                    eth0        256
fe80::/64                    docker0     256
fe80::/64                    veth0a6e0d2 256
ff00::/8                     eth0        256
ff00::/8                     docker0     256
ff00::/8                     veth0a6e0d2 256

[SporadicThought]

Let's see your docker network:

# docker network ls
NETWORK ID     NAME                    DRIVER    SCOPE
123456abcdef   mynetwork_default   bridge    local

# docker network inspect 123456abcdef

[SporadicThought]

try adding '-e lo' and '-Pn'to your string:

nmap -Pn -sT 172.17.0.2 -p161 -A -sC -e lo

[CaledoniaProject]

I figured it out. apparmor is blocking nmap from probing the network, it worked once I've removed the apparmor policy.

[SporadicThought]

AppArmor within the container or on your host?

[CaledoniaProject]

@SporadicThought I've installed nmap with snap on the host, not within the container. Apparmor is enabled for nmap by default, totally weird:

# aa-status
apparmor module is loaded.
35 profiles are loaded.
34 profiles are in enforce mode.
   ...
   snap.nmap.nmap
   ...

[SporadicThought]

@SporadicThought I've installed nmap with snap on the host, not within the container. Apparmor is enabled for nmap by default, totally weird:

# aa-status
apparmor module is loaded.
35 profiles are loaded.
34 profiles are in enforce mode.
   ...
   snap.nmap.nmap
   ...

Thank you for clarification. I have not noticed AppArmor enabled by default on my installations of 20.04, I'm fairly certain it is not. I do not use nmap via snap, however.
Nice work finding a solution!

[skinnyshy]

try nmap 172.29.0.0/24 -e eth0 --unprivileged