PCAP
Overview
PCAP captures network traffic from a node interface using libpcap and emits one log record per packet (or per matched flow). Useful for network forensics, IDS-style enrichment, and ad-hoc traffic capture on a host or DaemonSet.
The receiver runs on the host where the collector is deployed and requires privileges to open the chosen interface in capture mode. In Kubernetes this means running the pod with securityContext.capabilities.add: ["NET_RAW", "NET_ADMIN"] (or privileged: true) and hostNetwork: true if you need to see traffic on the underlying node interfaces.
Supported platforms
- Linux:
Logs - macOS:
Logs
Supported types: Logs
Basic Configuration
| Parameter | Type | Default | Required | Description |
|---|---|---|---|---|
interface | string | — | Yes | Network interface to capture from (e.g. eth0, en0, any). |
bpf | string | — | No | Berkeley Packet Filter expression to limit captured traffic (e.g. tcp port 80, host 10.0.0.1 and not port 22). When omitted, all packets the interface sees are captured. |
Advanced Settings
| Parameter | Type | Default | Required | Description |
|---|---|---|---|---|
advanced.snaplen | int | 65535 | No | Maximum bytes captured per packet. The default captures full Ethernet frames; lower it (e.g. 1500) to drop large payloads and reduce memory use. |
advanced.promiscuous | bool | false | No | When true, the interface accepts every frame regardless of MAC destination. Required for capturing traffic that isn't addressed to the host. Has no effect on any interface or virtual interfaces. |
advanced.read_timeout | duration | 1s | No | How long the kernel buffers packets before delivering a batch. Lower values reduce latency but increase syscall overhead. |
advanced.buffer_size | int | OS default | No | Kernel ring-buffer size in bytes. Increase under high packet rates to avoid drops. |
advanced.parse_attributes | bool | false | No | When true, common L3/L4 fields (net.protocol, src.ip, dst.ip, src.port, dst.port) are parsed and added as log record attributes. When false, only the raw packet bytes are emitted. |
advanced.packet_channel_size | int | OS default | No | Internal Go channel size between the libpcap reader goroutine and the consumer. Tune up if you see "channel full" warnings under bursty traffic. |
Example Configuration
{
// Basic
"interface": "eth0",
"bpf": "tcp and (port 80 or port 443) and not net 10.0.0.0/8",
// Advanced
"advanced": {
"snaplen": 1500,
"promiscuous": true,
"read_timeout": "100ms",
"buffer_size": 4194304,
"parse_attributes": true,
"packet_channel_size": 4096,
},
}
Operational Notes
- Privileges: opening a real interface in capture mode requires
CAP_NET_RAW. On Linux, that's typically root or a binary with the appropriate capability set; in K8s, set the podsecurityContext. The defaultpraxiscollectoruser (uid 10001) does not haveCAP_NET_RAW— running this receiver in the supervised collector image needs asecurityContextoverride. - DaemonSet pattern: for cluster-wide packet capture, deploy this receiver as a DaemonSet with
hostNetwork: trueand theNET_RAW/NET_ADMINcapabilities. Use a tightbpffilter — capturing all traffic on a busy node will saturate both the receiver and any downstream destination. - Drops: if the node's packet rate exceeds what the receiver can drain, libpcap will drop packets at the kernel level. Watch the receiver's drop metrics and consider tightening
bpf, raisingbuffer_size, or scaling out per-node. - Volume: capture is high-throughput by nature. Always pair with the
probabilistic_samplerprocessor or aggressive filters before any persistent destination.