Packet capture mode. Environment.

Requirements for Windows

On Windows, the application requires Npcap with WinPcap compatibility mode enabled. Npcap provides the necessary drivers and APIs for packet capture, and its compatibility with WinPcap ensures broader application support.

Npcap Installation: Ensure that Npcap is installed on the server with the "WinPcap API compatibility" option selected during installation.

Requirements for Linux

On Linux, the application requires libpcap.
It must be run as root.

Promiscuous Mode

Ensure the network interface is in promiscuous mode. You can enable it manually. List your network interfaces:

ip link

Set the desired interface (e.g., eth0) to promiscuous mode:

sudo ip link set eth0 promisc on

Verify the interface is in promiscuous mode: 

ip link show eth0

Verify Traffic on the Interface: 

sudo tcpdump -i eth0

Docker

Running packet capture in a Docker container on Linux has specific requirements due to network namespace isolation and permissions. Below are the main requirements and considerations:

  • Docker containers run with restricted permissions by default. To enable packet capture (which usually requires root or specific capabilities), you need to grant the container additional capabilities:

Add the CAP_NET_ADMIN and CAP_NET_RAW capabilities to the container.

docker run --cap-add=NET_ADMIN --cap-add=NET_RAW impleo/recaster:2.10.0
  • Privileged Mode If more extensive network access is required, you can run the container in privileged mode. This gives the container full access to the host system:
docker run --privileged impleo/recaster:2.10.0
  • Access to the Network Interface Ensure that the container has access to the network interfaces where you want to capture packets:

If the container uses the default bridge network, it won't see traffic from the host or other containers directly. Use host networking mode if you need the container to capture traffic on the host's network interface:

docker run --network host impleo/recaster:2.10.0
  • Access to /dev or /proc (Optional) To access raw network interfaces or system-level statistics, your container might need access to /dev or /proc directories on the host. Bind-mounting them can help:
docker run -v /dev:/dev -v /proc:/proc impleo/recaster:2.10.0
  • Host Dependencies

Ensure the host has the necessary kernel modules and configurations:

The libpcap library typically relies on AF_PACKET sockets, which must be supported by the kernel. Ensure the user running the Docker daemon has permission to capture packets.