Rick McClinton

Yes, I agree about the 10G - fortunately the bottleneck on my target segment is currently 1G. I've played with the command line options using --dummy "benchmarks"; I think I am seeing better performance using default worker threads (32) and --buffer-size 1024MB. The typical result is to see slightly fewer packets captured by the application than by the kernel, with zero drops by kernel/driver/buffer. "Better performance" meaning less difference between application and kernel counters. I've also been...

I have installed RCDCap 0.9 on SecurityOnion latest. I had to use libboost1.58 to compile, and had to hack the cmake file to update the obsolete dependencies. The hardware has 2x 10G interfaces bonded as a VLAN trunk for both server access and to deliver ERSPAN from two Nexus 9000 switches. RCDCap command line is rcdcap -i bond0.1005 -s 65535 --erspan --tap-persist --tap-device mon1 --worker-threads 8 --expression "proto gre" I am getting lots of drop indicated, e.g. quite soon after a reboot ifconfig...

I had to set "no header-format 3" on my Nexus to get ERSPAN-2 packets, which are being decoded properly by RCDCap. Do you still want ERSPAN-3 captures?