[FIXED} Custom Header Size to Decapsulate
RCDCap is a remote capture preprocessor
Brought to you by:
zero_effect
Menu
▾
▴
#3 [FIXED} Custom Header Size to Decapsulate
Hello RCDCap Team,
I have a question about decapsulating headers based on custom size. For Example, in our environment the ERSPAN header size is 38 bytes instead of 50 bytes, I have confirmed that using editcap utility on CentOS-7, when I take off 38 bytes off I can see actual SPAN traffic instead of GRE tunnel traffic. When I use RCDCap to decapsulate it takes some extra bytes of and loose Ether and IP headers. Is there a way to hardcore static length, e.g. 38 bytes, to decapsulate ERSPAN with RCDCap? Unfortunately, I cannot share PCAP due to organization policy. Please advise.
Another user (Walter Shoeber) suggested a patch for Juniper routers. I just commited slightly altered version in the Mercurial repo. Can you test it and say whether it fixes your issue?
Thank you very much. I will try and let you know how it goes, I just want to confirm that I am replacing erspan-processor.cc and then recomplie rpm for CentOS-7, right? Or can I just replace erspan-processor.cc on already installed system?
yes, you need to recompile
it worked, thanks a lot.