Raw Capture
Raw Capture provides continuous L4 (TCP/UDP) packet capture across all nodes with minimal CPU overhead. It operates independently from real-time API dissection and stores all traffic in a node-level FIFO buffer.
Use Cases: Raw Capture is the foundation for both Incident Response (on-demand snapshots from the local rolling buffer) and Traffic Forensics (continuous backup to cloud storage for long-term historical investigation).
Helm Configuration: Control raw capture settings—storage size, capture filters, snapshot storage, and more—via Helm values. See Raw Capture Configuration for details.
Capabilities
| Capability | Description |
|---|---|
| Traffic Snapshots | Extract and preserve traffic for a specific time window |
| PCAP Export | Download raw packets for Wireshark analysis |
| Delayed Dissection | Run L7 protocol analysis on non-production compute |
Architecture
Raw Capture collects data from three layers:
| Layer | Data Collected |
|---|---|
| Network | TCP/UDP packets via eBPF/AF_PACKET |
| Kubernetes | Pod lifecycle, service endpoints, namespace events |
| Operating System | Process context, container IDs via eBPF |
Each worker node writes captured data to a local FIFO buffer. When the buffer reaches capacity, older data is recycled and discarded. To preserve traffic before it’s recycled, create a Traffic Snapshot—the data is moved to dedicated storage where it becomes immutable.
Independence from Real-time API Dissection
Raw Capture and real-time API dissection are controlled separately:
| Setting | Effect |
|---|---|
tap.capture.raw.enabled=true | Raw capture active |
tap.capture.dissection.enabled=false | Real-time API dissection stopped |
Both can run simultaneously, or raw capture can run alone. This enables continuous packet retention with real-time API dissection enabled only when needed.
These settings are configured via Helm values. See Raw Capture Configuration for the full configuration reference and Enabling/Disabling Dissection for operational details.
Resource Characteristics
| Metric | Raw Capture | Real-time API Dissection |
|---|---|---|
| CPU | Low (disk I/O bound) | High (protocol parsing) |
| Memory | Fixed buffer | Scales with traffic |
| Data loss risk | Minimal | Higher under load |
Raw Capture’s low CPU footprint eliminates packet loss under normal conditions. Real-time API dissection requires more resources but can be deferred to non-production systems via delayed dissection.