Blog[Update, September 15, 2015]: The ExtraHop Discovery Edition is no longer in active development or maintenance, but current license-holders may continue using all features described in this post.
Normally, IT organizations feed a copy of network traffic to the ExtraHop appliance using a SPAN or tap—a non-invasive, plug-and-play deployment that our customers love us for. But there are some scenarios where that is not possible. For these scenarios, we have a solution: A software tap that essentially mimics a traditional network tap by forwarding traffic from any server to ExtraHop.
Give It Back Better Than You Found It
To build our software tap, we needed the leanest, meanest packet forwarder possible. That's why we weren't content with the standard RPCAP, an open-source remote packet capture system that is already very efficient. RPCAP is a wrapper around the standard libpcap (packet capture) library and installs on your server, sniffs traffic, and forwards it to another client, such as an ExtraHop appliance, for storage and analysis. Our modifications are currently available for both Linux and Windows, and posted back up on GitHub. Our biggest enhancement is an "udpstr" mode to decrease IP fragments and overhead. In cases of even moderate network transfers, such as database queries or web downloads, our enhanced version sends the same amount of information in one-third the number of packets.The original RPCAP simply wraps each captured packet in a header and sends the whole thing as payload in a UDP packet. For example, in Figure 1 below, a 250-byte TCP packet, #32, will be sent inside a 320-byte UDP packet, #33.
Figure 1. RPCAP forwards each packet as payload in a UDP packet.
Figure 2. The original RPCAP split packet #38 into two because the payload exceeded 1514 bytes.
The ExtraHop enhancement, "udpstr" mode for RPCAP, waits until there are 1500 bytes worth of captured packets to send, and then sends UDP packets with full MTU.
Figure 3. ExtraHop's enhancements to RPCAP pack more information into fewer packets for minimal overhead.
Figure 4. Example of a mixed environment. A physical EH6000 has visibility into both physical and virtual servers.
Let RPCAP Join the Party
The ExtraHop software tap adds another option to get the traffic that you need to the ExtraHop appliance. Having a software tap accelerates proof-of-concept deployments and makes it easier for people to use our ExtraHop Discovery Edition even if they do not have easy access to a SPAN. In mixed environments, the ExtraHop software tap enables you to set up a SPAN or tap in your data center but deploy the forwarder at remote branches or stores. Similarly, if you are using Amazon Web Services (AWS), you can easily extend your ExtraHop deployment to cover AWS workloads, gaining full L2-L7 visibility spanning your on-premises and cloud environments. Check out Page 4 of our AWS Solution Brief for an overview of this hybrid scenario.Try Before You Buy
The ExtraHop software tap makes it much easier to analyze your wire data. Interested in trying it out? Download the ExtraHop Discovery Edition, a perpetually licensed free virtual appliance. With our software tap, you can try our product without network administrator involvement. After deploying the AMI or OVA in a virtual environment and setting up the license key, you deploy the forwarders on the servers you select. Our documentation guides you through the RPCAP download process to access our install script and execute it on your server. It takes just seconds to run! Within minutes, the ExtraHop Discovery Edition will automatically register the selected servers and wire data analysis will appear on the Summary Page for HTTP, database, CIFS, NFS, iSCSI, Citrix ICA, LDAP, and DNS traffic. Specific information about the forwarder instance is on the System Health page. From there, use the ExtraHop platform to view communications between your servers and spot potential issues.
Thanks to Alex for his work on the RPCAP enhancement! An avid mountaineer, he appreciates the value of packing things efficiently.
