RCDCap is a packet processing framework. At its core, it incorporates basic mechanisms for local and remote capturing and decapsulation of packets (CISCO ERSPAN and HP ERM are supported). It can be extended to support many types of packet-based traffic analysis by creating plug-ins and loading them in the main application. It includes many optimizations to ensure high performance traffic processing. Some of them are: multithreaded traffic processing; explicit thread pinning; configurable packet burst processing; support for PF_PACKET and PF_RING. It can be also used to inject the processed traffic to a TAP device or regular physical Ethernet interface. Its basic functuonalities make it a viable solution for preprocessing CISCO ERSPAN and HP ERM traffic which can be handed to some other application.
RCDCap offers its own set of plug-ins for doing different types of traffic analysis. Notably, it has its own plug-in for analysing NDP, ARP, DHCP and DHCPv6 traffic.
Features
- CISCO ERSPAN decapsulation
- HP ERM decapsulation
- VLAN support (802.1Q and 802.1P)
- Outputting to the standard output, pcap dump file, or a network device
- Extendable through plug-ins
- Multithreaded packet processing
- Packet burst processing
- Performance tuning
- libpcap (PF_PACKET) and libpfring (PF_RING) support
- UDP socket-based support of HP ERM
- Plug-in: VLAN monitor
- Plug-in: Experimental Python binding
- Plug-in: DHCP, DHCPv6, NDP and ARP monitor
- Supported platforms: Linux and Windows
Categories
NetworkingLicense
GNU General Public License version 3.0 (GPLv3)Follow RCDCap
User Reviews
-
Many thanks for this great project! We use it in several environments supporting our NIDS deployments. We are definitely contributing to your beer fund! :)
-
Excellent
-
I use RCDCap to terminate an ERSPAN. It listens on a PF_RING-enabled interface, and the interface the network security apps listen on is PF_RING-enabled. It's high-performance, and does not seem to be dropping packets or overflowing buffers. I had to modify the build files a bit to get it to use a later version of the Boost libraries (1.55), and again to link it to the static pfring library, but it all worked in the end. It would be nice to see the ability to just strip vlan tags as well as filter traffic based on BPF rules. I've dug into the code a little, and it seems to be well designed and easily extensible, though, so I will try to give it a shot.