back caretBlog

Lean and Mean: Our Open-Source Enhancements to RPCAP

[Update, September 15, 2015]: The ExtraHop Discovery Edition is no longer in active development or maintenance, but current license-holders may continue using all features described in this post.

Normally, IT organizations feed a copy of network traffic to the ExtraHop appliance using a SPAN or tap—a non-invasive, plug-and-play deployment that our customers love us for. But there are some scenarios where that is not possible. For these scenarios, we have a solution: A software tap that essentially mimics a traditional network tap by forwarding traffic from any server to ExtraHop.

Give It Back Better Than You Found It

To build our software tap, we needed the leanest, meanest packet forwarder possible. That's why we weren't content with the standard RPCAP, an open-source remote packet capture system that is already very efficient. RPCAP is a wrapper around the standard libpcap (packet capture) library and installs on your server, sniffs traffic, and forwards it to another client, such as an ExtraHop appliance, for storage and analysis. Our modifications are currently available for both Linux and Windows, and posted back up on GitHub. Our biggest enhancement is an "udpstr" mode to decrease IP fragments and overhead. In cases of even moderate network transfers, such as database queries or web downloads, our enhanced version sends the same amount of information in one-third the number of packets.

The original RPCAP simply wraps each captured packet in a header and sends the whole thing as payload in a UDP packet. For example, in Figure 1 below, a 250-byte TCP packet, #32, will be sent inside a 320-byte UDP packet, #33.

Figure 1. RPCAP forwards each packet as payload in a UDP packet.

Figure 1. RPCAP forwards each packet as payload in a UDP packet.

Sending each packet inside a UDP packet is simple, but it results in lots of IP fragments when the original packet is already full MTU length, as shown in Figure 2 below.

Figure 2. The original RPCAP split packet #38 into two because the payload exceeded 1514 bytes.

Figure 2. The original RPCAP split packet #38 into two because the payload exceeded 1514 bytes.

The original packet #38 is already a full MTU of 1514 bytes. RPCAP sends this packet as a UDP packet with 1550 bytes of payload. Since the UDP packet is bigger than MTU, it is split into two IP fragments, #39, 1514 bytes, and #40, 104 bytes. Any large network transfers, such as large web downloads or database queries, will mostly be full MTU packets. Using the original RPCAP with this traffic would result in many IP fragments and overhead!

The ExtraHop enhancement, "udpstr" mode for RPCAP, waits until there are 1500 bytes worth of captured packets to send, and then sends UDP packets with full MTU.

Figure 3. ExtraHop's enhancements to RPCAP pack more information into fewer packets for minimal overhead.

Figure 3. ExtraHop's enhancements to RPCAP pack more information into fewer packets for minimal overhead.

In Figure 3 above, the blue UDP packets #39-#43 contain all of the green original packets, #24-#38. Compared to the original RPCAP protocol, there are no IP fragments and the host running RPCAP has much fewer packets to send, and therefore spends significantly less time in the network stack of the operating system! Here are the capture files used above if you want to see what RPCAP looks like on the wire: rpcap_original.pcap, rpcap_extrahop.pcap

Figure 4. Example of a mixed environment. A physical EH6000 has visibility into both physical and virtual servers.

Figure 4. Example of a mixed environment. A physical EH6000 has visibility into both physical and virtual servers.

Let RPCAP Join the Party

The ExtraHop software tap adds another option to get the traffic that you need to the ExtraHop appliance. Having a software tap accelerates proof-of-concept deployments and makes it easier for people to use our ExtraHop Discovery Edition even if they do not have easy access to a SPAN. In mixed environments, the ExtraHop software tap enables you to set up a SPAN or tap in your data center but deploy the forwarder at remote branches or stores. Similarly, if you are using Amazon Web Services (AWS), you can easily extend your ExtraHop deployment to cover AWS workloads, gaining full L2-L7 visibility spanning your on-premises and cloud environments. Check out Page 4 of our AWS Solution Brief for an overview of this hybrid scenario.

Try Before You Buy

The ExtraHop software tap makes it much easier to analyze your wire data. Interested in trying it out? Download the ExtraHop Discovery Edition, a perpetually licensed free virtual appliance. With our software tap, you can try our product without network administrator involvement. After deploying the AMI or OVA in a virtual environment and setting up the license key, you deploy the forwarders on the servers you select. Our documentation guides you through the RPCAP download process to access our install script and execute it on your server. It takes just seconds to run! Within minutes, the ExtraHop Discovery Edition will automatically register the selected servers and wire data analysis will appear on the Summary Page for HTTP, database, CIFS, NFS, iSCSI, Citrix ICA, LDAP, and DNS traffic. Specific information about the forwarder instance is on the System Health page. From there, use the ExtraHop platform to view communications between your servers and spot potential issues.

Thanks to Alex for his work on the RPCAP enhancement! An avid mountaineer, he appreciates the value of packing things efficiently.

Thanks to Alex for his work on the RPCAP enhancement! An avid mountaineer, he appreciates the value of packing things efficiently.

 

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed