I am trying to do the unencapsulation ERSPAN packet following a blog, the following commandos:
$modprobe ip_gre
$ip link set dev eth1 mtu 1900
$ ip tunnel add mon0 mode gre local 10.0.8.6 ttl 8
$ ip addr add 1.1.1.1/30 dev mon0
$ip link set mon0 up
$rcdcap -i eth1 --erspan --tap-persist --tap-device mon1 --expression "host 10.0.8.6"
On this last line I am with the following error:
rcdcap: option '--expression' cannot be specified more than once
Can you tell me or show me what this could be?
Thanks a lot
Best Regards
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When execute this command: <rcdcap -i="" eth1="" --erspan="" --worker-threads="2" --pfring="" --capture-mode="async" -o="" output="">, for testing purposes, print only this information:
RCDCap is meant as intermediate application, so there isn't packet decapsulation in text format. If you want pretty printing you can pipe the output through tcpdump.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Zero,
I am trying to do the unencapsulation ERSPAN packet following a blog, the following commandos:
$modprobe ip_gre
$ip link set dev eth1 mtu 1900
$ ip tunnel add mon0 mode gre local 10.0.8.6 ttl 8
$ ip addr add 1.1.1.1/30 dev mon0
$ip link set mon0 up
$rcdcap -i eth1 --erspan --tap-persist --tap-device mon1 --expression "host 10.0.8.6"
On this last line I am with the following error:
rcdcap: option '--expression' cannot be specified more than once
Can you tell me or show me what this could be?
Thanks a lot
Best Regards
Try with the new version(0.8.1)
Thanks a lot!
Hi Zero,
The filters work! But now a have other issue.
When execute this command: <rcdcap -i="" eth1="" --erspan="" --worker-threads="2" --pfring="" --capture-mode="async" -o="" output="">, for testing purposes, print only this information:
18:21:50.226357 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.226476 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.226915 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.227288 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.227849 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.228146 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.228571 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.228703 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.228833 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
18:21:50.228989 44:31:92:EB:0A:4E -> 00:50:56:AE:A3:A5
It's a problem or could be a issue with hardware capacity?
Once again, thank u very much!
Best Regards
RCDCap is meant as intermediate application, so there isn't packet decapsulation in text format. If you want pretty printing you can pipe the output through tcpdump.
Hi Zero,
I want to's not necessary deeply your help, it's working beautifully. I'm going to abuse your help and one of the last questions, this message:
IP truncated-ip - 7350 bytes missing!
Is it something that can be improved in the solution or is it something from the source?
Kind Regards
If you want to capture jumbo frames you can increase the snapshot length to 9000 bytes. For example:
rcdcap -s 9000 ... <your options="">