RCDCap erspan version 3 (gre-proto-0x22eb)
RCDCap is a remote capture preprocessor
Brought to you by:
zero_effect
Menu
▾
▴
Hi all, is there any way how to change RCDCap configuration for decapsulating erspan version 3 ???? Thanks.
Can you provide a very simple capture of ping (ICMP) packets?
The problem is, that I'm still getting gre encapsulated dump and I think it's caused by erspan version header type 0x22eb. ERSPAN v1 header type is 0x88be
My dump from RCDCap:
(tos 0x28, ttl 25, id 64066, offset 0, flags [none], proto GRE (47), length 262)
10.132.63.1 > localhost.localdomain: GREv0, Flags [sequence# present], seq 832122434, length 242
gre-proto-0x22eb
rcdcap -i ens33 --erspan --tap-persist --tap-device mon1 --expression "host 10.132.1.241"
I meant just an encapsulated stream of packets, so that i can debug it.
Last edit: Zero effect 2018-04-12
06:01:40.969924 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 832271090, length 242: gre-proto-0x22eb
06:01:40.970929 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 898777497, length 242: gre-proto-0x22eb
06:01:40.980932 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 898777498, length 242: gre-proto-0x22eb
06:01:40.982913 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 832271091, length 242: gre-proto-0x22eb
06:01:40.984911 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 898777499, length 242: gre-proto-0x22eb
06:01:40.985925 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 832271092, length 242: gre-proto-0x22eb
06:01:40.989919 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 832271093, length 242: gre-proto-0x22eb
06:01:40.991920 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 898777500, length 242: gre-proto-0x22eb
06:01:40.998935 IP 10.132.63.1 > localhost.localdomain: GREv0, seq 898777501, length 242: gre-proto-0x22eb
I need binary files with original packets
I had to set "no header-format 3" on my Nexus to get ERSPAN-2 packets, which are being decoded properly by RCDCap.
Do you still want ERSPAN-3 captures?