cloud_pcap

Network packet capture tool that runs tcpdump on configured interfaces, compresses rotated capture files with bzip2, and uploads them to S3-compatible storage (Backblaze B2).

Requirements

Go 1.22+
tcpdump
bzip2
Root privileges (for packet capture)

Build

go build -o cloud_pcap .

Configuration

Copy config.example.json to config.json and edit:

{
    "interfaces": ["ens256", "ens224"],
    "capture_dir": "/pcaps",
    "max_file_size_mb": 1024,
    "bpf_filter": "",
    "snap_len": 0,
    "s3": {
        "endpoint": "s3.eu-central-003.backblazeb2.com",
        "region": "eu-central-003",
        "bucket": "company-name-traffic",
        "prefix": "traffic/",
        "access_key_id": "YOUR_KEY",
        "secret_access_key": "YOUR_SECRET"
    },
    "delete_after_upload": true
}

Fields

Field	Description	Default
`interfaces`	Network interfaces to capture	(required)
`capture_dir`	Directory for pcap files	`/pcaps`
`max_file_size_mb`	Rotate when pcap file reaches this size in MB	`1024`
`bpf_filter`	BPF filter expression (e.g. `"tcp port 80"`)	(none)
`snap_len`	Snapshot length in bytes (0 = default 262144)	`0`
`s3.endpoint`	S3-compatible endpoint host	(required)
`s3.region`	S3 region	`us-east-1`
`s3.bucket`	S3 bucket name	(required)
`s3.prefix`	Key prefix for uploaded files	(none)
`s3.access_key_id`	S3 access key	(required)
`s3.secret_access_key`	S3 secret key	(required)
`delete_after_upload`	Delete compressed file after successful upload	`false`

Usage

# Start capture (requires root for tcpdump)
sudo ./cloud_pcap --config config.json

The tool will:

Start tcpdump on each configured interface
Monitor capture file size, rotate when it reaches max_file_size_mb
Compress completed files with bzip2
Upload .pcap.bz2 files to S3
Optionally delete local files after successful upload

How it works

For each interface, a goroutine runs a capture loop: start tcpdump, poll file size, stop tcpdump when the limit is reached, then compress+upload in the background and immediately start a new tcpdump
Compression and upload run asynchronously so capture is not interrupted
On SIGINT/SIGTERM, all tcpdump processes are stopped and pending uploads finish before exit

Install as systemd service

sudo cp cloud_pcap /usr/local/bin/
sudo mkdir -p /etc/cloud_pcap
sudo cp config.json /etc/cloud_pcap/config.json

Create /etc/systemd/system/cloud_pcap.service:

[Unit]
Description=Cloud PCAP Capture
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/cloud_pcap --config /etc/cloud_pcap/config.json
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable --now cloud_pcap

Name		Name	Last commit message	Last commit date
Latest commit History 14 Commits
.github/workflows		.github/workflows
dist		dist
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
callback.go		callback.go
callback_test.go		callback_test.go
capture.go		capture.go
config.example.json		config.example.json
config.go		config.go
go.mod		go.mod
go.sum		go.sum
main.go		main.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

cloud_pcap

Requirements

Build

Configuration

Fields

Usage

How it works

Install as systemd service

About

Uh oh!

Releases 2

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

cloud_pcap

Requirements

Build

Configuration

Fields

Usage

How it works

Install as systemd service

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 2

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages