Packet Capture
The Packet Capture (PCAP) source captures network packets and emits them as OpenTelemetry logs. It uses system-native tools (tcpdump on macOS/Linux, Npcap on Windows) to capture packets directly from a network interface.
Supported Platforms
macOS
✓
Linux
✓
Windows
✓
Prerequisites
macOS/Linux
Tool: tcpdump is pre-installed on macOS and most Linux distributions.
To verify:
tcpdump --versionWindows
Tool: Requires Npcap driver (included with Wireshark, or install standalone from https://npcap.com/).
Install Npcap: https://npcap.com/ (or install Wireshark which includes Npcap)
List interfaces using PowerShell or the Npcap SDK tools
Interface names on Windows use Npcap device paths (e.g.,
\Device\NPF_{GUID})
Configuration Table
network_interface
string
""
Network interface to capture packets from.
filter
string
""
BPF (Berkeley Packet Filter) expression to filter packets.
parse_attributes
bool
true
The path to the dumpcap executable. Windows only (ignored on other platforms).
snaplen
int
65535
Maximum bytes to capture per packet (64-65535).
promiscuous
bool
true
Enable promiscuous mode to capture all network traffic.
Interface Names
To list available interfaces on macOS/Linux:
To list available interfaces on Windows:
If you have Wireshark installed, use the dumpcap executable:
Otherwise, use Get-NetAdapter:
This result will have the interface names, but not in the Npcap format that the receiver expects. To convert it to the correct format, insert \NPF_
BPF Filters
BPF filters allow you to capture only specific traffic. Examples:
BPF filter syntax reference: tcpdump manual
Last updated
Was this helpful?