I am working with a Navy Cyber Team to ingest data in to RockNSM. We are sending all the data in my virtual infrastructure to a ERSPAN IP. When I configure RockNSM and give the monitoring interface that IP all I see is encapsulated traffic, how and where do I setup another interface to deincapsulate that traffic and use that interface for my monitoring interface so I am able to see that data inside the packets? Thanks, much appreciated.
I’m on mobile, so I’ll give you the short version of how I’ve done this before:
De-encapsulate the traffic with RCDCAP:
Onto a tun/tap interface (virtual), then copy the unwrapped packets onto your promiscuous/monitoring interface with netsniff-ng.
I have systemd configs for this somewhere if you’re interested.