In this blog, you will learn when and how to deploy the ExtraHop Packet Forwarder and how to configure it so that you get the desired data feed.

Let’s start by answering the question: “Why/when do you deploy a packet forwarder”. Normally you will receive a data feed from a span port/packet broker/virtual tab (in the cloud) or via an ERSPAN in VMware. However, there are certain situations where getting that data feed is difficult or from a price point too expensive. Take a remote location with one server and a couple of client devices. Deploying an ExtraHop sensor in such a location might not be economically feasible. You can however deploy an ExtraHop packet Forwarder on the server at this remote location, which will forward all the traffic the server receives/sends to an ExtraHop Packet Sensor at the central/main location. This will provide visibility into the behavior of that server without the need to deploy an extra ExtraHop Packet Sensor at that location.

Another use case is getting visibility into a containerized environment. You can get visibility into that containerized environment by deploying an ExtraHop Packet Forwarder on the server that hosts that containerized services. All of a sudden the ExtraHop Packet Forwarder gave you back that visibility that you lost when you chose for the ease and flexibility of using containers.

The ExtraHop Packet Forwarder can be deployed on Linux and Windows servers. Details can be found on the ExtraHop website:

https://docs.extrahop.com/current/rpcap/

In the following video, shows how to deploy and configure the ExtraHop Packet Forwarder for a server and containerized environment:

Note: When it comes to Windows, the ExtraHop Packet Forwarder can only be deployed on Windows servers and not on Windows for client devices.