Packet Forwarding with RPCAP
The ExtraHop Discover appliance generates metrics about your network and applications through a wire data feed, which is typically mirrored from a switch. However, you might not always have access to a switch or you might want to monitor a specific device that is outside of your wire data network. Additionally, in a cloud environment, such as Microsoft Azure or Amazon Web Services (AWS), you cannot directly access switch hardware. For these types of environments, you can forward packets to a Discover appliance through a software tap such as Remote Packet Capture (RPCAP).
Before you begin
You must have experience with ExtraHop appliances, network concepts, and installing utilities on servers to complete the procedures in this guide.This guide provides concepts about the ExtraHop RPCAP implementation along with instructions for all required procedures.
If your ExtraHop system includes the Trace appliance, you can configure a second feed of packets from your remote environment to the Trace appliance.
Deployment overview
The following steps outline the key procedures that are required to implement RPCAP with an ExtraHop Discover appliance.
- First, configure the Discover appliance to accept RPCAP traffic and add packet-forwarding rules.
- Next, download the rpcapd software for your operating system from the Discover appliance.
- If your environment has a firewall, open ports on your firewall for the requisite RPCAP traffic.
- Finally, install the rpcapd software on every Linux and Windows device that you want to forward traffic from. You must modify the configuration file (rpcapd.ini) to specify device interfaces or to direct traffic to the Discover appliance.
- If you have a Trace appliance, you must configure it to accept RPCAP traffic, add packet-forwarding rules, and update your rpcapd.ini files to direct traffic to both Discover and Trace appliances.
Implementing RPCAP with the ExtraHop system
RPCAP is implemented through a small binary file that runs as a daemon (rpcapd) on each device that you want to monitor traffic for. The RPCAP installation package for Windows or Linux can be downloaded directly from your Discover appliance.
The following figure shows a simple RPCAP implementation with a single Discover appliance behind a firewall. Your network configuration might vary.

The ExtraHop implementation of RPCAP operates in active mode, which means that devices installed with rpcapd software initiate a TCP connection to the ExtraHop appliance over defined ports. After the TCP connection is established, the ExtraHop appliance responds with packet-forwarding rules that identify the allowed traffic. When the allowed traffic is detected on the monitored rpcapd device, packets are forwarded to the ExtraHop appliance over a designated UDP port range.
Each rpcap-installed device contains a configuration file (rpcapd.ini) with the IP addresses of the ExtraHop appliances where traffic should be sent, and the TCP port over which the connection should be initiated.
Each ExtraHop appliance must have an interface configured to monitor RPCAP traffic. In addition, your ExtraHop appliance must be configured with packet-forwarding rules that determine which packets are forwarded by the remote devices.
Configure RPCAP on the ExtraHop appliance
You can configure RPCAP and management on the same interface, but you might want to configure a second interface only for RPCAP to avoid unnecessary performance degradation.
Configure packet-forwarding rules on the ExtraHop appliance
After you configure the interface as an RPCAP target, you must configure packet-forwarding rules. Packet forwarding rules limit what traffic is allowed to be sent to the ExtraHop appliance through RPCAP.
By default, an entry is configured for port 2003 that accepts traffic from all interface addresses. You can modify the default entry for your environment, delete the default entry, and add additional entries. It is a good practice to set these rules first, so that when you configure rpcapd on your remote devices, the ExtraHop appliance is ready to receive the forwarded packets.
You can configure up to 16 rules for packet forwarding in the ExtraHop appliance; each rule must have a single TCP port over which the ExtraHop appliance communicates the packet-forwarding rules to rpcapd devices.
Important: | The information in the rpcapd configuration file on the devices that are forwarding packets must not contradict the rules set in the ExtraHop appliance. |
- In the Network Settings section, click Connectivity.
-
In the RPCAP Settings section, complete one of the
following actions:
- Click on 2003 to open the default entry.
- Click Add to add a new entry.
-
In the Add RPCAP Port Definition section, complete the
following information:
- In the Port field, type the TCP port that will communicate information about this packet forwarding rule. Port entries must be unique for each interface subnet on the same server.
- In the Interface Address field, type the IP address or CIDR range of the interface on the device that you want the ExtraHop appliance to receive traffic from. For example, 10.10.0.0/24 will forward all traffic on the system that is part of that CIDR range, * is a wildcard that will match all traffic on the system, or 10.10.0.5 will only send traffic on the interface that matches the 10.10.0.5 IP address.
- In the Interface Name field, type the name of the interface on the device that will send traffic to the ExtraHop appliance. For example, eth0 in a Linux environment or \Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F} in a Windows environment.
- In the Filter field, type the ports for the traffic that you want to forward to the ExtraHop appliance in Berkeley Packet Filter (BPF) syntax. For example, you can type tcp port 80 to forward all traffic on TCP port 80 from your remote network device to the ExtraHop appliance. For more information about BPF syntax, see Filter packets with Berkeley Packet Filter syntax.
- Click Save, which saves the settings and restarts the capture.
- Repeat these steps to configure additional rules. You can add up to 16 rules.
Save the running configuration file
After you configure the interface and configure packet forwarding rules, you must save the changes to the running configuration file.
- In the Network Settings section, click Connectivity.
- Click View and Save Changes.
- Review the changes in the Current running config (not yet saved) pane.
- Click Save.
- Click Done.
Installing rpcapd on your remote devices
You can access preformatted, up-to-date download and installation commands through https://<extrahop_management_ip>/tools, where <extrahop_management_ip> is the IP address of your Discover appliance. Information is provided for Linux distributions and Windows.
Important: | These options should not be modified without an understanding of how the change might affect your workflow. |
When you run the installation command, rpcapd automatically starts and initiates communication to the IP address and destination port specified in the command. For example, on a Linux device, where 172.18.10.25 is the IP address of the Discover appliance and the TCP port is 2003, the installation command is sudo ./install.sh -k 172.18.10.25 2003.
Running the install command creates a configuration file (rpcapd.ini) with an ActiveClient entry that defines the IP address and destination port of the Discover appliance, such as ActiveClient = 10.0.0.100,2003. The configuration file can be modified to change the Discover appliance information or to further filter the traffic that is sent to the Discover appliance.
- -v
- Runs rpcap in active mode only instead of both active and passive modes.
- -d
- Runs rpcap as a daemon (in Linux) or as a service (in Windows).
- -L
- Sends log messages to a syslog server.
Install and start rpcapd on a Linux device
Before you begin
The minimum Linux kernel version required to run rpcapd is 2.6.32.- In a web browser, navigate to https://<extrahop_management_ip>/tools, where the <extrahop_management_ip> is the IP address of your Discover appliance.
- Follow the installation instructions to download the package for the Linux distribution of your device. (Optionally, you can view instructions for Generic/Other Linux and then copy and paste the commands to download and install rpcapd.)
- Copy and paste the commands to install and start rpcapd. The command will be similar to the following example: sudo ./install.sh -k 172.18.10.25 2003, where 172.18.10.25 is the IP address of your ExtraHop appliance and 2003 is the TCP port you want to communicate through.
Configure rpcapd on a Linux device with multiple interfaces
For devices with multiple interfaces, rpcapd can be configured to forward packets by interface.
To edit the configuration file, complete the following steps.
Example Linux configurations
The following example shows an interface in CIDR format.
ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24 NullAuthPermit = YES
The following example shows a configuration that forwards packets by interface name:
ActiveClient = 10.10.6.45, 2003, ifname=eth0 NullAuthPermit = YES
Install rpcapd on a Windows device with Powershell
Note: | Windows RPCAP support requires 64-bit versions for Windows 7, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. |
- In a web browser, navigate to https://<extrahop_management_ip>/tools, where the <extrahop_management_ip> is the IP address of your Discover appliance..
- Download and unzip the rpcapd file for Windows.
- Open PowerShell and navigate to the directory with the unzipped files.
- Run the following command, where <extrahop_rpcap_target_ip> is the IP address of the ExtraHop appliance where you want to forward packets to and <extrahop_rpcapd_port> is the port you the device should connect through: the following command: ./install-rpcapd.ps1 -InputDir . -RpcapIp <extrahop_rpcap_target_ip> -RpcapPort <extrahop_rpcapd_port>
Configure rpcapd on a Windows device with multiple interfaces
For network devices with multiple interfaces, rpcapd can be configured to forward packets from multiple interfaces.
To edit the configuration file, complete the following steps.
Example Windows configurations
The following example shows an interface in CIDR format.
ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24 NullAuthPermit = YES
The following example shows a configuration that forwards packets by interface name.
ActiveClient = 10.10.6.45, 2003,ifname=\Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F} NullAuthPermit = YES
To reinstall rpcapd after changing the configuration file, run one of the following installation commands and replace –RpcapIp and –RpcapPort with the -KeepConfig flag to preserve the modified configuration file:
.\install-rpcapd.ps1 -MgmtIp <extrahop_management_ip> -KeepConfig or .\install-rpcapd.ps1 –InputDir . -KeepConfig
Verify your RPCAP traffic
After your configuration is complete, you can view RPCAP packets and throughput metrics on the System Health page to verify that the correct traffic is being forwarded to the Discover appliance.

Learn more about System Health charts.
RPCAP packets
Displays the rate of remote packet capture (RPCAP) for all RPCAP peers, expressed in packets per second, on the ExtraHop Discover appliance.
This chart also has the following metrics:
- Total
- The total number of RPCAP packets captured in the selected time interval.
- Current
- The number of RPCAP packets captured during the most recent second.
- Max
- The maximum number of RPCAP packets captured in the selected time interval.
The total, current, and maximum metrics are divided into the following categories:
- Encapsulation
- The total number of RPCAP-encapsulated packets received by the Discover appliance.
- Tunnel Eligible
- The total number of RPCAP packets eligible to be forwarded to the Discover appliance.
- Tunnel Sent
- The total number of RPCAP-tunneled packets forwarded to the Discover appliance.
- Tunnel Received
- The total number of RPCAP-tunneled packets received by the Discover appliance.
The chart title contains the number of RPCAP peers. You can click the chart to open a second chart that displays the RPCAP packet metrics on a per-peer basis.
The RPCAP chart is only displayed if remote packet capture is enabled on the Discover appliance.
RPCAP throughput
Displays the rate of RPCAP throughput metrics for all RPCAP peers, expressed in bytes per second, on the ExtraHop Discover appliance.
This chart also has the following metrics:
- Total
- The total number of RPCAP bytes transferred in the selected time interval.
- Current
- The number of RPCAP bytes transferred during the most recent second.
- Max
- The maximum number of RPCAP bytes transferred in the selected time interval.
The total, current, and maximum metrics are divided into the following categories:
- Encapsulation
- The total number of RPCAP-encapsulated bytes received by the Discover appliance.
- Tunnel Received
- The total number of RPCAP-tunneled bytes received by the Discover appliance.
The chart title contains the number of RPCAP peers. You can click the chart to open a second chart that displays the RPCAP throughput metrics on a per-peer basis.
The RPCAP chart is only displayed if remote packet capture is enabled on the Discover appliance.
Sample RPCAP configuration
The following sample configurations illustrate how traffic rules apply to packet forwarding.
In all scenarios below, the ExtraHop Discover appliance (EDA) interface has a network configuration of 172.25.26.5, 172.25.26.0/24 and is configured for RPCAP, as displayed in the following figure.
Scenario 1: The Discover appliance is configured to accept all interface traffic, as displayed in the following figure.

Client Network Configuration | RPCAP Configuration (rpcapd.ini) | Traffic Forwarded |
---|---|---|
eth0 = 10.10.1.20, 10.10.1.0/24 | ActiveClient=172.25.26.5, 2003 | All traffic on eth0. |
eth0 = 10.10.1.21 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003 | All traffic on eth0. No traffic from eth1. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname=eth1 | All traffic on eth1. No traffic from eth0. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname= eth0 ActiveClient=172.25.26.5, 2003, ifname = eth1 |
All traffic on both eth0 and eth1. |
Scenario 2: The Discover appliance is configured to accept traffic from only the device eth1 interface, as displayed in the following figure.

Client Network Configuration | RPCAP Configuration (rpcapd.ini) | Traffic Forwarded |
---|---|---|
eth0 = 10.10.1.20, 10.10.1.0/24 | ActiveClient=172.25.26.5, 2003 | No traffic is forwarded. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003 | No traffic is forwarded. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname=eth1 | All traffic on eth1. No traffic from eth0. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname= eth0 ActiveClient=172.25.26.5, 2003, ifname = eth1 |
All traffic on eth1. No traffic from eth0. |
Scenario 3: The Discover appliance is configured to accept all interface traffic for TCP port 80, as displayed in the following figure.

Client Network Configuration | RPCAP Configuration (rpcapd.ini) | Traffic Forwarded |
---|---|---|
eth0 = 10.10.1.20, 10.10.1.0/24 | ActiveClient=172.25.26.5, 2003 | Only port 80 traffic on eth0. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003 | Only port 80 traffic on eth0. No traffic from eth1. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname=eth1 |
Only port 80 traffic on eth1. No traffic from eth0. |
eth0 = 10.10.1.21, 10.10.1.0/24 |
ActiveClient=172.25.26.5, 2003, ifname=eth0 |
Only port 80 traffic on eth0. |
Scenario 2: The Discover appliance is configured to only accept TCP port 80 traffic from the eth1 interface, as displayed in the following figure.

Client Network Configuration | RPCAP Configuration (rpcapd.ini) | Traffic Forwarded |
---|---|---|
eth0 = 10.10.1.20, 10.10.1.0/24 | ActiveClient=172.25.26.5, 2003 | No traffic is forwarded. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003 | No traffic is forwarded. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname=eth1 |
Port 80 traffic on eth1. No traffic from eth0. |
eth0 = 10.10.1.21, 10.10.1.0/24 eth1 = 192.168.4.21, 192.168.4.0/24 |
ActiveClient=172.25.26.5, 2003, ifname=eth0 ActiveClient=172.25.26.5, 2003, ifname=eth1 |
Only port 80 traffic on both eth1. and eth0. |
Opening ports on your firewall
RPCAP forwards packets over a range of UDP ports that are determined by the TCP ports configured in the Discover or Trace appliance and the model of your appliance.
Important: | Opening four ports might be sufficient for most environments. However, we recommend that you open a full 32 ports to avoid losing traffic from your RPCAP-installed devices. If opening 32 ports on your firewall is a concern, you can follow the guidelines in the table below. If you are not receiving all expected traffic, contact ExtraHop Support. |
- For the lower end of the UDP port range, take the lowest TCP port listed in the set of rules on the Discover or Trace appliance.
- For the higher end of the UDP range, take the lowest number and add the number associated with your ExtraHop appliance model, as listed in the following table.
ExtraHop Appliance | Number of Ports |
Example Range |
EDA 1000v or ETA 1150v | 1 | 2003 |
EDA 2000v | 4 | 2003-2006 |
EDA 6100v | 8 | 2003-2010 |
EDA 3100 | 4 | 2003-2006 |
EDA 6100 | 8 | 2003-2010 |
EDA 8100 | 16 | 2003-2018 |
EDA 9100 | 32 | 2003-2034 |
For advanced users, you can also manually modify the lowest port of the UDP range through the following Running Configuration file setting: rpcap:udp_port_start.
Thank you for your feedback. Can we contact you to ask follow up questions?