diff --git a/README.md b/README.md
index 01565049..082fc186 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,24 @@ remote-control:
 - `/etc/unbound/root.hints`. NOTE IP address of docker container
 
 ``` text
-.                        3600000      NS    MY.ROOT-SERVERS.NET.
-MY.ROOT-SERVERS.NET.     3600000      A     172.17.0.2
+.                        3600000      NS    primary.root-server.com.
+primary.root-server.com. 3600000      A     172.17.0.2
 ```
+
+#### `client`
+
+Container is `docker/client.Dockerfile`, build with: `docker build -t dnssec-tests-client -f docker/client.Dockerfile docker`, with `tshark`.
+
+Run the client container with extra capabilities
+
+```shell
+docker run --rm -it --cap-add=NET_RAW --cap-add=NET_ADMIN dnssec-tests-client /bin/bash
+```
+
+Then run `tshark` inside the container:
+
+```shell
+tshark -f 'host 172.17.0.3' -O dns
+```
+
+to filter DNS messages for host `172.17.0.3` (`unbound`).
diff --git a/docker/client.Dockerfile b/docker/client.Dockerfile
new file mode 100644
index 00000000..be9c228a
--- /dev/null
+++ b/docker/client.Dockerfile
@@ -0,0 +1,4 @@
+FROM ubuntu:22.04
+
+RUN apt-get update && \
+  apt-get install -y dnsutils iputils-ping tshark
\ No newline at end of file
diff --git a/docker/nsd.Dockerfile b/docker/nsd.Dockerfile
index a758bdeb..216b0a2b 100644
--- a/docker/nsd.Dockerfile
+++ b/docker/nsd.Dockerfile
@@ -1,4 +1,4 @@
 FROM ubuntu:22.04
 
 RUN apt-get update && \
-  apt-get install -y nsd
\ No newline at end of file
+  apt-get install -y nsd iputils-ping
\ No newline at end of file
diff --git a/docker/unbound.Dockerfile b/docker/unbound.Dockerfile
index 45a11b85..e0473477 100644
--- a/docker/unbound.Dockerfile
+++ b/docker/unbound.Dockerfile
@@ -1,4 +1,4 @@
 FROM ubuntu:22.04
 
 RUN apt-get update && \
-  apt-get install -y unbound
\ No newline at end of file
+  apt-get install -y unbound iputils
\ No newline at end of file