Skip to main content
Ent+
This feature is available as an add-on for the Honeycomb Enterprise plan. Please contact your Honeycomb account team for details.
The Packet Capture (PCAP) source captures network packets and emits them as OpenTelemetry logs. It uses system-native tools (tcpdump on macOS/Linux, Npcap on Windows) to capture packets directly from a network interface.

Supported Platforms

PlatformMetricsLogsTraces
macOS
Linux
Windows

Prerequisites

macOS/Linux

Tool: tcpdump is pre-installed on macOS and most Linux distributions. To verify: 
tcpdump --version

Windows

Tool: Requires Npcap driver (included with Wireshark, or install standalone from Npcap).
  • Install Npcap (or install Wireshark which includes Npcap)
  • List interfaces using PowerShell or the Npcap SDK tools
  • Interface names on Windows use Npcap device paths (e.g., \Device\NPF_{GUID})

Configuration Table

ParameterTypeDefaultDescription
network_interfacestring""Network interface to capture packets from.
filterstring""BPF (Berkeley Packet Filter) expression to filter packets.
parse_attributesbooltrueThe path to the dumpcap executable. Windows only (ignored on other platforms).
snaplenint65535Maximum bytes to capture per packet (64-65535).
promiscuousbooltrueEnable promiscuous mode to capture all network traffic.

Interface Names

To list available interfaces on macOS/Linux: 
tcpdump -D
To list available interfaces on Windows: If you have Wireshark installed, use the dumpcap executable: 
C:\\path-to-wireshark-installation\dumpcap.exe -D
Otherwise, use Get-NetAdapter: 
Get-NetAdapter | Select-Object DeviceName
This result will have the interface names, but not in the Npcap format that the receiver expects. To convert it to the correct format, insert \NPF_ 
\Device\{1D5B8F34-3D34-47E7-960B-E18EBC729A13} -> \Device\NPF_{1D5B8F34-3D34-47E7-960B-E18EBC729A13}

BPF Filters

BPF filters allow you to capture only specific traffic. Examples: 
# Capture only HTTPS traffic
filter: "tcp port 443"

# Capture DNS queries and responses
filter: "udp port 53"

# Capture HTTP and HTTPS
filter: "tcp port 80 or tcp port 443"

# Capture traffic to/from specific IP
filter: "host 192.168.1.100"

# Complex filter with multiple conditions
filter: "(tcp port 80 or tcp port 443) and not src 192.168.1.1"
BPF filter syntax reference: tcpdump manual