You might not always have access to a switch (such as in cloud environment) or you might want to monitor a specific device that is outside of your wire data network. A common scenario is monitoring traffics from a branch office. In these situations you could use ExtraHop’s RPCAP, which is a rewrite of the open source version- it doesn’t consume any memory or disk, it’s just a super efficient packet forwarder.
A question sometimes arises about how much network capacity RPCAP would require. RPCAP is implemented through a small binary file that runs as a daemon (rpcapd) on each device that you want to monitor traffic for. The bandwidth used by RPCAP depends entirely on how much traffic is generated by the servers you want to monitor. When you install RPCAP on a host, you select the interface you would like to monitor on that host. RPCAP then captures all packets going in and out of that interface, encapsulates them, and sends them over the network to the ExtraHop Discover Appliance. By default it uses the UDP transport protocol over ports 2003-2035, so you will want to make sure those are open on any firewalls in between the hosts being monitored and the EDA. The best way to estimate how much traffic would be sent out from the datacenter would be by measuring the amount of traffic passing through the interfaces you want to monitor. The overhead of the RPCAP encapsulation is relatively low compared to the traffic that is being sent.
More detailed info can be found in this blog article- older, but still relevant.