Multiple rcdcap processes using expressions
RCDCap is a remote capture preprocessor
Brought to you by:
zero_effect
Menu
▾
▴
Using rcdcap 0.8.1. Main goal is to have two different tap devices so I can write two different tcpdump files based off the erspan source host.
I am trying to run two instances of rcdcap with the following commands:
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon1 --snaplen 65535 --expression host 1.1.1.1
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon2 --snaplen 65535 --expression host 2.2.2.2
When I try to execute the second command, I receive:
rcdcap: option '--expression' cannot be specified more than once
Now, if I run the commands this way:
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon1 --snaplen 65535 --expression host 1.1.1.1
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon2 --snaplen 65535
It works. I don’t receive an error. Any idea why we receive an error when trying to run two instances using expressions?
Any ideas?
What version of Boost do you use?
1.53.0
Is a different version required?
Try this instead:
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon1 --snaplen 65535 host 1.1.1.1
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon2 --snaplen 65535 host 2.2.2.2
That worked. Both commands were accepted without errors. I am going to test it to make sure I can accomplish what I am trying to do. Also, to anyone that uses @[Zero efffect] recommendation; make sure to put quotes around "host x.x.x.x" and/or "host y.y.y.y".
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon1 --snaplen 65535 "host 1.1.1.1"
rcdcap -d -i eth1 --erspan --tap-persist --tap-device mon2 --snaplen 65535 "host 2.2.2.2"
Thank you Zero effect for giving me the proper syntax. I will update this thread once I finalize that I can write to two different tcpdump files.
I was able to write to multiple files. Thanks again for your help Zero.