Packet Capture

The Packet Capture (PCAP) source captures network packets and emits them as OpenTelemetry logs. It uses system-native command-line tools (tcpdump on macOS/Linux, dumpcap on Windows) to capture packets directly from a network interface.

Supported Platforms

Platform

Metrics

Logs

Traces

macOS

✓

Linux

✓

Windows

✓

Prerequisites

macOS/Linux

Tool: tcpdump is pre-installed on macOS and most Linux distributions. To verify:

tcpdump --version

Windows

Tool: Requires Wireshark (which includes Npcap). Ensure dumpcap.exe is available (typically from Wireshark installation, or specify executable_path).

Install Wireshark: https://www.wireshark.org/download.html (includes Npcap during installation)

Configuration Table

Parameter

Type

Default

Description

network_interface

string

Network interface to capture packets from.

filter

string

BPF (Berkeley Packet Filter) expression to filter packets.

parse_attributes

bool

true

The path to the dumpcap executable. Windows only (ignored on other platforms).

snaplen

int

65535

Maximum bytes to capture per packet (64-65535).

promiscuous

bool

true

Enable promiscuous mode to capture all network traffic.

executable_path

string

"dumpcap"

Parse network attributes and add them to the logs.

Interface Names

To list available interfaces on macOS/Linux:

tcpdump -D

To list available interfaces on Windows:

dumpcap -D

BPF Filters

BPF filters allow you to capture only specific traffic. Examples:

# Capture only HTTPS traffic
filter: "tcp port 443"

# Capture DNS queries and responses
filter: "udp port 53"

# Capture HTTP and HTTPS
filter: "tcp port 80 or tcp port 443"

# Capture traffic to/from specific IP
filter: "host 192.168.1.100"

# Complex filter with multiple conditions
filter: "(tcp port 80 or tcp port 443) and not src 192.168.1.1"

BPF filter syntax reference: tcpdump manual

PreviousOracle Database NextPgBouncer

Last updated 5 days ago

Was this helpful?