Skip to main content
Ent+
This feature is available as an add-on for the Honeycomb Enterprise plan. Please contact your Honeycomb account team for details.
The Packet Capture (PCAP) source captures network packets and emits them as OpenTelemetry logs. It uses system-native tools (tcpdump on macOS/Linux, Npcap on Windows) to capture packets directly from a network interface.

Supported Platforms

PlatformMetricsLogsTraces
macOS
Linux
Windows

Prerequisites

macOS/Linux

Tool: tcpdump is pre-installed on macOS and most Linux distributions. To verify:

Windows

Tool: Requires Npcap driver (included with Wireshark, or install standalone from Npcap).
  • Install Npcap (or install Wireshark which includes Npcap)
  • List interfaces using PowerShell or the Npcap SDK tools
  • Interface names on Windows use Npcap device paths (e.g., \Device\NPF_{GUID})

Configuration Table

ParameterTypeDefaultDescription
network_interfacestring""Network interface to capture packets from.
filterstring""BPF (Berkeley Packet Filter) expression to filter packets.
parse_attributesbooltrueThe path to the dumpcap executable. Windows only (ignored on other platforms).
snaplenint65535Maximum bytes to capture per packet (64-65535).
promiscuousbooltrueEnable promiscuous mode to capture all network traffic.

Interface Names

To list available interfaces on macOS/Linux:
To list available interfaces on Windows: If you have Wireshark installed, use the dumpcap executable:
Otherwise, use Get-NetAdapter:
This result will have the interface names, but not in the Npcap format that the receiver expects. To convert it to the correct format, insert \NPF_

BPF Filters

BPF filters allow you to capture only specific traffic. Examples:
BPF filter syntax reference: tcpdump manual