Rcore Configurations

The Rcore is a lightweight program. You "start" an Rcore by running an rcore executable. You "stop" an Rcore by stopping, terminating, or killing a running rcore executable.

The rcore executable can take many command line arguments. This makes the Rcore highly configurable and compatible with pretty much any network configuration.

Listed below are the possible arguments.

Options:
    --help                   | Display this help message.
    --version                | Display the version.

LICENSE INFORMATION
    --license-name=<name>    | Set the license name.
    --license-key=<key>      | Set the license key.

NETWORK INTERFACES
    --list-interfaces        | List all of the available interfaces.
    --downlink=<interface>   | Set the downlink interface by name or address.
    --uplink=<interface>     | Set the uplink interface by name or address.
    --describe-interfaces    | Describe the uplink and downlink interfaces set and exit.

BRIDGING INTERFACES (experimental)
    --bridge-down            | Bridge traffic from uplink to downlink.
    --bridge-up              | Bridge traffic from downlink to uplink.

FILTERING
    --include-global-traffic | Process IPv4 traffic to or from global IPv4 addresses. (Default is to exclude global traffic.)

MANAGER SETTINGS
    --core-id=<core-id>            | Set the core ID.
    --enc-key=<key>                | Set the encryption key. (defaults to plaintext)
    --manager-port=<port>          | Set the rcore manager port. (use stdio if missing)
    --manager-server=<host>        | Connect to an rcore manager. (defaults to stdio)
    --org-id=<org-id>              | Set the org ID.
    --use-v4-messages              | Use version 4 messages.
    --max-connection-attempts=<n>  | Retry manager connection <n> times before failure.

LIVE / DARK TRACKING
    --always-live-ipv4-list=<list> | Always assume IPv4 addresses in <list> are live.
    --echo-arp-request             | Echo ARP request packets. (signal injection)
    --echo-latency-dhcp=<t>        | Minimum time (ms) between DHCP message and ARP echo. (default=60000)
    --echo-latency-ipv4=<t>        | Minimum time (ms) between live IPv4 and ARP echo. (default=60000)

PHANTOMS
    --no-phantoms-for-ipv4-list=<list> | Do not present phantoms to endpoints in the list of IPv4 addresses.
    --no-phantoms-for-mac-list=<list>  | Do not present phantoms to endpoints in the list of MAC addresses.
    --phantom-arp-threshold=<n>        | Send a phantom ARP reply after <n> ARP requests go unanswered. (default=2)
    --phantom-start-delay=<t>          | Start phantoms after <t> milliseconds. (default=180000ms)
    --phantom-time-threshold=<t>       | Send a phantom ARP reply after <t> milliseconds of live endpoint inactivity. (default=300000)
    --phantom-arp                      | Enable phantom ARP replies.
    --phantom-icmp                     | Enable phantom ICMP replies.
    --phantom-tcp                      | Enable phantom TCP replies.
    --synth-mac-list=<list>            | List of comma-separated synthetic MAC addresses. (default is the uplink interface MAC)

TRACKING (single)
    --track-dhcp               | Track DHCP requests.
    --track-ipv4-global        | Track IPv4 global addresses.
    --track-ipv4-local         | Track IPv4 link local addresses.
    --track-ipv4-private       | Track IPv4 private addresses.
    --track-ipv6               | Track IPv6 addresses.

TRACKING (pair)
    --track-ipv4-pairs         | Track IPv4 source/destination pairs.
    --track-ipv6-pairs         | Track IPv6 source/destination pairs.
    --track-mac-pairs          | Track MAC source/destination pairs.

MONITORING (structured)
    --heartbeat=<n>            | Emit a heartbeat message every <n> seconds. (default=30)
    --show-arp                 | Show the ARP traffic.
    --show-dhcp                | Show the DHCP traffic.
    --show-icmp                | Show the ICMP traffic.
    --show-tcp                 | Show TCP connection attempts.

MONITORING (IPv4 multicast)
    --show-all-multicast-ipv4  | Show all the IPv4 multicast traffic. (verbose with payloads)
    --show-llmnr-ipv4          | Show the LLMNR multicast traffic.
    --show-mdns-ipv4           | Show the mDNS multicast traffic.
    --show-ntp-ipv4            | Show the NTP multicast traffic.
    --show-ssdp-ipv4           | Show the SSDP multicast traffic.
    --show-ssdp2-ipv4          | Show the SSDP v2 multicast traffic.
    --show-teredo-ipv4         | Show the Teredo multicast traffic.

MONITORING (raw)
    --show-arp-reply           | Show the ARP reply packets.
    --show-arp-request         | Show the ARP request packets.
    --show-ethernet-header     | Show the Ethernet headers seen.
    --show-ethernet-frame      | Show the bytes of the Ethernet frames seen.
    --show-frame-length        | Show the Ethernet frame length.
    --show-ipv4-header         | show the IPv4 headers seen
    --show-ipv6-header         | show the IPv6 headers seen
    --show-tcp-header          | show the TCP headers seen
    --show-udp-header          | show the UDP headers seen
    --show-tcp-fin             | show TCP headers with FIN
    --show-tcp-rst             | show TCP headers with RST
    --show-tcp-syn-ack         | show TCP headers with +SYN +ACK
    --show-tcp-syn-noack       | show TCP headers with +SYN -ACK

REPORTING
    --report-freq=<n>          | Display the live reports every n frames. (default=1000)
    --report-arp-pressure      | Report stats on ARP pressure.
    --report-live-dhcp         | Report stats on DHCP traffic.
    --report-live-ipv4-global  | Report stats on global IPv4 addresses.
    --report-live-ipv4-local   | Report stats on local IPv4 addresses.
    --report-live-ipv4-private | Report stats on private IPv4 addresses.
    --report-live-ipv6         | Report stats on IPv6 addresses.
    --report-ipv4-pairs        | Report stats on IPv4 pairs.
    --report-ipv6-pairs        | Report stats on IPv6 pairs.
    --report-mac-pairs         | Report stats on MAC pairs.