This repository enables running Montimage Monitoring Tool (MMT) in a Docker container to simplify network traffic monitoring and analysis across different platforms.
MMT is primarily an enterprise-level network monitoring solution designed for Linux-based infrastructure environments. While MMT doesn't have native support for Windows or macOS, this Docker-based approach provides a cross-platform solution that works on any system capable of running Docker containers.
If you are a developer looking to build or modify the MMT Docker image, please see the DEVELOPER.md file.
- MMT on Docker
Montimage Monitoring Tool (MMT) is a powerful enterprise-level network monitoring and analysis solution that provides:
- Real-time traffic monitoring and analysis
- Protocol identification and extraction
- Security threat detection
- Performance measurement
- Traffic statistics and visualization
MMT is designed for enterprise network infrastructures where Linux is the primary operating system. It's widely used in telecommunications, critical infrastructure monitoring, cybersecurity operations centers, and enterprise network management.
This Docker-based implementation bridges the platform gap, allowing users of Windows, macOS, and other operating systems to utilize MMT's powerful capabilities without requiring a dedicated Linux environment.
The following diagram illustrates how MMT on Docker captures and analyzes your network traffic:
graph LR
A[Host Network] -->|tcpdump| B[Network Capture]
B -->|netcat| C[Docker Container]
C -->|mmt-probe| D[Analysis Engine]
D -->|Reports| E[Results Directory]
subgraph Host Machine
A
B
E
end
subgraph MMT Container
C
D
end
- Host Network: Your network interface that contains the traffic you want to analyze
- Network Capture: tcpdump captures raw packets from your network
- Docker Container: The containerized MMT environment
- Analysis Engine: MMT-probe processes and analyzes the traffic
- Results Directory: Analysis reports are stored in a mounted directory on your host
-
Install Docker Desktop:
- Download from Docker Desktop for Mac
- Install and launch Docker Desktop
- Wait for Docker to start (whale icon in menu bar turns solid)
-
Install tcpdump and netcat using Homebrew:
brew install tcpdump netcat
-
Pull the Docker image:
docker pull montimage/mmt:latest
-
Find your network interface:
networksetup -listallhardwareports
Look for your active interface (typically
en0for Wi-Fi oren1for Ethernet) -
Start capturing network traffic (keep this terminal window open):
sudo tcpdump -i en0 -U -w - | nc -l 12345Replace
en0with your actual interface name -
Open a new terminal window and run the MMT container:
# Create reports directory mkdir -p ~/mmt-reports # Run the container docker run -d --name mmt-probe --rm \ -v ~/mmt-reports:/opt/mmt/probe/result/report/online \ montimage/mmt:latest
-
View the analysis results:
ls -la ~/mmt-reports
For a detailed explanation of the report formats and data structure, refer to the MMT Data Format Documentation.
- Stop monitoring when finished:
Also press Ctrl+C in the tcpdump terminal window
docker stop mmt-probe
-
Install Docker Desktop:
- Download from Docker Desktop for Windows
- Ensure WSL 2 is installed and enabled (WSL installation guide)
- Install and launch Docker Desktop
- Make sure Docker is running (whale icon in system tray)
-
Install packet capture tools:
-
Pull the Docker image:
docker pull montimage/mmt:latest -
Find your network interface:
Get-NetAdapterNote the name of your active network interface (e.g., "Wi-Fi" or "Ethernet")
-
Start capturing network traffic (keep this PowerShell window open):
& 'C:\Program Files\Wireshark\tshark.exe' -i Wi-Fi -w - | & 'C:\Program Files\Nmap\ncat.exe' -l 12345
Replace
Wi-Fiwith your actual interface name -
Open a new PowerShell window and run the MMT container:
# Create reports directory mkdir -p $HOME\mmt-reports # Run the container docker run -d --name mmt-probe --rm ` -v "$HOME\mmt-reports:/opt/mmt/probe/result/report/online" ` montimage/mmt:latest
-
View the analysis results:
dir $HOME\mmt-reports
-
Stop monitoring when finished:
docker stop mmt-probeAlso press Ctrl+C in the packet capture window
-
Install Docker:
# Ubuntu/Debian sudo apt-get update sudo apt-get install docker.io sudo systemctl start docker sudo systemctl enable docker # Fedora/CentOS sudo dnf install docker sudo systemctl start docker sudo systemctl enable docker
-
Install tcpdump and netcat:
# Ubuntu/Debian sudo apt-get install tcpdump netcat-openbsd # Fedora/CentOS sudo dnf install tcpdump nc
-
Pull the Docker image:
docker pull montimage/mmt:latest
-
Find your network interface:
ip link show
Note the name of your active network interface (e.g., "eth0" or "ens33")
-
Start capturing network traffic (keep this terminal window open):
sudo tcpdump -i eth0 -U -w - | nc -l -p 12345Replace
eth0with your actual interface name -
Open a new terminal window and run the MMT container:
# Create reports directory mkdir -p ~/mmt-reports # Run the container docker run -d --name mmt-probe --rm \ -v ~/mmt-reports:/opt/mmt/probe/result/report/online \ montimage/mmt:latest
Alternatively, on Linux you can directly monitor a network interface:
docker run -d --name mmt-probe --rm \ --net=host -e HOST_INTERFACE=eth0 \ -v ~/mmt-reports:/opt/mmt/probe/result/report/online \ montimage/mmt:latest -
View the analysis results:
ls -la ~/mmt-reports -
Stop monitoring when finished:
docker stop mmt-probe
Also press Ctrl+C in the tcpdump terminal window
You can analyze a pre-recorded PCAP file using the MMT container:
macOS/Linux:
# Create reports directory
mkdir -p ~/mmt-reports
# Run the container with a PCAP file
docker run -d --name mmt-probe --rm \
-v ~/mmt-reports:/opt/mmt/probe/result/report/online \
-v ~/my-capture.pcap:/pcap/my-capture.pcap \
-e PCAP_FILE=/pcap/my-capture.pcap \
montimage/mmt:latestWindows:
# Create reports directory
mkdir -p $HOME\mmt-reports
# Run the container with a PCAP file
docker run -d --name mmt-probe --rm `
-v "$HOME\mmt-reports:/opt/mmt/probe/result/report/online" `
-v "$HOME\my-capture.pcap:/pcap/my-capture.pcap" `
-e PCAP_FILE=/pcap/my-capture.pcap `
montimage/mmt:latestReplace my-capture.pcap with your actual PCAP file name.
# For macOS/Linux
docker run -d --name my-custom-mmt --rm \
-v ~/mmt-reports:/opt/mmt/probe/result/report/online \
montimage/mmt:latest# For macOS/Linux
docker run -d --name mmt-probe --rm \
-v ~/mmt-reports:/opt/mmt/probe/result/report/online \
montimage/mmt:v1.0- Verify your network interface name
- Ensure tcpdump is running with sudo/administrator privileges
- Check that port 12345 is not being used by another application
- Verify that netcat is properly installed
If the container exits immediately after starting, check:
- Docker logs:
docker logs mmt-probe - Ensure tcpdump is running before starting the container
- Check that port 12345 is accessible to the container
If you encounter permission errors with the reports directory:
# Fix permissions on the reports directory
sudo chown -R $USER:$USER ./mmt-reports-
Docker can't connect to host.docker.internal:
- Ensure Docker Desktop is running with the latest version
- Try restarting Docker Desktop
- If still failing, use a direct IP address by running:
Then use this IP instead of
ifconfig en0 | grep "inet " | awk '{print $2}'
host.docker.internal
-
Permission denied for tcpdump:
- Make sure to run tcpdump with
sudo - If prompted for password multiple times, run:
sudo chmod +s /usr/sbin/tcpdump
- Make sure to run tcpdump with
-
Container can't reach host for packet capture:
- Ensure Windows Firewall allows incoming connections on port 12345
- Try adding WSL integration in Docker Desktop settings
- Use the IP address of your host instead of
host.docker.internal:ipconfig | findstr IPv4
-
Wireshark/tshark permission issues:
- Run PowerShell as Administrator
- Try using Wireshark GUI to capture to a file, then use the PCAP file analysis mode
-
Docker permission issues:
- Make sure your user is in the docker group:
sudo usermod -aG docker $USER # then logout and login again
- Make sure your user is in the docker group:
-
Network interface not found:
- Make sure you're using the correct interface name
- For direct monitoring, ensure you use
--net=host
The container can operate in three modes:
-
Netcat Mode (Default): Captures traffic from the host machine through a netcat connection on port 12345. This is the recommended mode for most users and works across all operating systems (Windows, macOS, Linux).
-
Host Network Interface Mode: Available on Linux only, this mode directly captures traffic from a specified host network interface using the
--net=hostoption. This mode represents the traditional deployment method for MMT in enterprise environments. -
PCAP Analysis Mode: Analyzes a pre-recorded PCAP file from your host system. This mode is useful for analyzing previously captured traffic, forensic analysis, or testing purposes.
MMT generates several types of reports in the configured reports directory:
These reports contain information about detected security events and potential threats.
These reports provide statistical information about the monitored network traffic, including:
- Protocol distribution
- Traffic volume
- Connection statistics
- Application behavior
View the most recent report:
ls -lt ./mmt-reports | head -n 5View a specific security report:
cat ./mmt-reports/security_report_*.xmlMMT-Operator is a graphical web interface for visualizing and analyzing MMT reports. It runs on your host machine and provides dashboards, charts, and detailed analytics.
-
Clone and install MMT-Operator from the official repository:
git clone https://github.com/Montimage/mmt-operator.git cd mmt-operator/www npm install -
Create a MongoDB Server - version 4.4 (required for MMT-Operator):
docker run -d --name mongodb44 -p 27017:27017 mongo:4.4
-
Configure MMT-Operator to read the reports from your Docker container:
Edit the
www/config.jsonfile to set the correct reports directory:# Navigate to the www directory cd mmt-operator/www # Edit the config.json file (using your preferred editor) vim config.json
The most important setting is the
file_input.data_folderarray. Make sure it includes the path to where your MMT reports are stored:"file_input": { "data_folder": [ "/absolute/path/to/your/mmt-reports/" ], "delete_data": true, "nb_readers": 1 }, "input_mode": "file",
Replace
/absolute/path/to/your/mmt-reports/with the absolute path to your reports directory. -
Start MMT-Operator:
cd mmt-operator/www && npm start -
Access the MMT-Operator web interface:
- Open your browser and navigate to
http://localhost:8080(default port)
- Open your browser and navigate to
- Real-time traffic visualization
- Security event monitoring
- Protocol breakdown analysis
- Historical data examination
- Customizable dashboards
For full documentation and advanced configuration options, visit the MMT-Operator GitHub repository.
This project is distributed under the terms of the license covering Montimage products.
For any issues, questions, or improvements:
- Visit Montimage website
- Contact support at support@montimage.eu