The Packet Capture (PCAP) source captures network packets and emits them as OpenTelemetry logs. It uses system-native tools (tcpdump on macOS/Linux, Npcap on Windows) to capture packets directly from a network interface.
| Platform | Metrics | Logs | Traces |
|---|---|---|---|
| macOS | ✓ | ||
| Linux | ✓ | ||
| Windows | ✓ |
Tool: tcpdump is pre-installed on macOS and most Linux distributions. To verify:
tcpdump --version
Tool: Requires Npcap driver (included with Wireshark, or install standalone from Npcap).
\Device\NPF_{GUID}) | Parameter | Type | Default | Description |
|---|---|---|---|
| network_interface | string |
"" | Network interface to capture packets from. |
| filter | string |
"" | BPF (Berkeley Packet Filter) expression to filter packets. |
| parse_attributes | bool |
true | The path to the dumpcap executable. Windows only (ignored on other platforms). |
| snaplen | int |
65535 | Maximum bytes to capture per packet (64-65535). |
| promiscuous | bool |
true | Enable promiscuous mode to capture all network traffic. |
To list available interfaces on macOS/Linux:
tcpdump -D
To list available interfaces on Windows:
If you have Wireshark installed, use the dumpcap executable:
C:\\path-to-wireshark-installation\dumpcap.exe -D
Otherwise, use Get-NetAdapter:
Get-NetAdapter | Select-Object DeviceName
This result will have the interface names, but not in the Npcap format that the receiver expects. To convert it to the correct format, insert \NPF_
\Device\{1D5B8F34-3D34-47E7-960B-E18EBC729A13} -> \Device\NPF_{1D5B8F34-3D34-47E7-960B-E18EBC729A13}
BPF filters allow you to capture only specific traffic. Examples:
# Capture only HTTPS traffic
filter: "tcp port 443"
# Capture DNS queries and responses
filter: "udp port 53"
# Capture HTTP and HTTPS
filter: "tcp port 80 or tcp port 443"
# Capture traffic to/from specific IP
filter: "host 192.168.1.100"
# Complex filter with multiple conditions
filter: "(tcp port 80 or tcp port 443) and not src 192.168.1.1"
BPF filter syntax reference: tcpdump manual