Live Capture Look deeper. Find everything.

Live Packet Capture

Capture from any local interface in real time. Available on every tier — Community, Professional, Team, and Enterprise / MSSP. The same pipeline runs incrementally on the captured stream.

Live capture is available to ALL tiers. As of v1.0.0, live capture is no longer gated to paid tiers. Community users get the full live-capture experience with the same packet/file limits as offline analysis.

Quick start

Open the Live Capture view from the sidebar (or Ctrl/Cmd + 7).
Pick an interface from the dropdown.
(Optional) set a BPF capture filter (tcp port 80 or udp port 53).
Click Start. Packets stream in; the pipeline runs incrementally.
Click Stop when done. The capture is saved as a session and a .pcap file under your data directory.

macOS

BPF permissions

macOS gates raw packet access through Berkeley Packet Filter (BPF) devices at /dev/bpf*. Without the right permissions, capture fails with permission denied.

The .pkg installer registers ChmodBPF, a small launchd job that grants your user group access_bpf read access to BPF devices on boot. After install, you must log out and back in for the group membership to take effect.

Verifying ChmodBPF

# Check that ChmodBPF is loaded
sudo launchctl list | grep ChmodBPF
# Expected: a line with org.wireshark.ChmodBPF

# Check that you're in access_bpf group
groups
# Expected: access_bpf appears in your groups

# Check device permissions
ls -l /dev/bpf0
# Expected: crw-rw----  1 root  access_bpf  ...

If ChmodBPF isn't installed

# Reinstall just the ChmodBPF component
sudo /Library/Application\ Support/Intreys/install-chmod-bpf.sh

Apple Silicon notes

On Apple Silicon, the universal .pkg is required (not the Intel-only build). Run uname -m to confirm arm64.

Windows 10/11

Npcap

Live capture on Windows requires Npcap (NDIS-based packet capture driver). Intreys installer bundles Npcap and installs it if not present, in WinPcap-compatible mode.

Verifying Npcap

sc query npcap
:: Expected: STATE = 4 RUNNING

Loopback capture

Npcap supports loopback capture via the “Npcap Loopback Adapter”. Enable during install or via the Npcap installer.

Common Windows issues

“No interfaces found” — Npcap not installed or service stopped. Re-run the Intreys installer.
Permission denied — on a domain-managed Windows install, an admin may need to add your user to the Network Configuration Operators group, or the Npcap service must be set to start as NetworkService.
Wireshark conflict — if Wireshark is also installed and using Npcap, both apps can capture simultaneously without conflict.

Linux

libpcap and capabilities

Linux capture uses libpcap. Without elevated privileges, opening a raw socket fails. The .deb postinst sets cap_net_raw on the capture binary so live capture works without sudo:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/intreys-capture

Verifying capabilities

getcap /usr/bin/intreys-capture
# Expected: /usr/bin/intreys-capture cap_net_admin,cap_net_raw=eip

RPM-based distros

The RPM %post scriptlet runs the same setcap. If capture fails after dnf install, manually run the setcap command above.

Docker

To capture from inside a container, run with --cap-add NET_RAW --cap-add NET_ADMIN and --net=host:

docker run --cap-add NET_RAW --cap-add NET_ADMIN --net=host \
  -p 8765:8765 cybershelt/intreys:latest

Capture filters (BPF syntax)

Capture filters use BPF/tcpdump syntax (different from display filters):

# Only HTTP traffic
tcp port 80

# DNS only
udp port 53

# Traffic to/from a specific host
host 192.168.1.42

# All except local management
not (port 22 or port 3389)

# ICS / Modbus
tcp port 502

Troubleshooting

“Permission denied”

macOS: log out and back in after install. Verify ChmodBPF.
Windows: verify Npcap is running. Re-run installer.
Linux: run getcap on the capture binary; re-apply setcap if missing.

“No interfaces listed”

Refresh the dropdown. Some interfaces appear/disappear with VPN or USB-Ethernet.
Run as a non-restricted user (capture access depends on group membership).

Drops in the capture

Tighten the capture filter so the kernel drops uninteresting packets early.
Reduce snap length under Settings → Capture → Snap length (default 65535).
On macOS, increase BPF buffer: sudo sysctl -w debug.bpf_bufsize=8388608.

VLAN tags missing

Some NICs strip VLAN tags before they reach BPF/Npcap. Check NIC driver settings to disable VLAN offload.

Where captures are stored

OS	Path
macOS	`~/Library/Application Support/Intreys/captures/`
Linux	`~/.local/share/intreys/captures/`
Windows	`%APPDATA%\Intreys\captures\`