capture run
Captures HTTP traffic from a network interface and forwards matching requests to Esper.
esper capture run
esper capture run --test --dry-run
esper capture run --enforce --tenant-id <tenant-id>
esper capture run --enforce
Relevant flags
--enforce: enables mitigation sync and local enforcement
--tenant-id: explicit tenant to sync active mitigations for
--sync-interval-seconds: mitigation sync interval
--stats: prints packet, forwarding, enforcement, and sync metrics
--test: captures loopback traffic on lo
--dry-run: prints captured requests without forwarding or enforcing
--filter: overrides the default BPF expression
Enforcement behavior
esper capture run --enforce syncs the tenant’s active mitigations to the hybrid for local enforcement.
Block: the request is dropped locally
Challenge: the match is logged and the request is still forwarded
Monitor: the match is logged and the request is still forwarded
Local enforcement currently requires the captured HTTP request to include an Esper-managed opaque X-Esper-Hybrid-Key header.
capture record
Records network traffic to a PCAP file for later analysis.
esper capture record --output traffic.pcap --duration 10 --interface lo
capture test-server
Starts a test HTTP server for validating hybrid capture functionality.
esper capture test-server --port 8888
run
Runs the Esper hybrid daemon using the XML hybrid configuration.
The daemon reads ~/.esper/runtime.xml by default and writes logs and cache files under ~/.esper/.
sync
Performs a one-shot sync from origin into the local hybrid cache.
esper sync actions
esper sync entities
esper sync policies
esper sync mitigations