CRU 31030-1577-0000 User Manual

CRU® WiebeTech

®

Ditto® Network Tap Module

User Manual

Features

• Adds network tap functionality to the Ditto and Ditto DX Forensic FieldStations

• Captures Internet and VOIP traffi c with virtually no packet loss*

• Captures sustained 10/100 Mbps network traffi c and short burst gigabit network traffi c*

• Filter and capture network traffi c to a tcpdump/Wireshark-compatible PCAP fi le

• Optional live capture stream (rpcap) interface for Wireshark

• Fail-safe design continues passing through network traffi c if power is lost

*Packet loss is a function of the type and saturation level of traffi c on the tapped network

Ditto Network Tap Module User Manual

2

TABLE OF CONTENTS

1 General Information 2

1.1 Package Contents 2

1.2 Identifying Parts 2

1.3 How to Use the Network Tap Module 3

2 Setup 3

3 Network Tap Functionality 3

3.1 Home Screen 3

3.1.1 PCAP Network Capture 3

3.1.2 Live Network Capture 4

3.1.3 Simultaneous PCAP and Live Network Capture 5

3.2 Confi gure Screen 5

3.2.1 System 5

3.2.2 Network 6

3.3 Network Capture 6

3.3.1 Network Capture Settings 6

3.3.2 Live Capture Settings 7

3.3.3 Advanced Settings 7

3.4 Using and Confi guring Network Capture Filters 7

3.4.1 Filter Creation Via Web Browser 7

3.4.2 Manual Filter Creation 8

3.5 Using the Front Panel Interface in Standalone Mode 9

4 Technical Specifi cations 10

1 GENERAL INFORMATION

1.1 PACKAGE CONTENTS

The following list contains the items that are included in the

complete confi guration for this device. Please contact CRU if

any items are missing or damaged:

Item Quantity

Network Tap Module 1

Ethernet cable (RJ45) 2

User Manual 1

1.2 IDENTIFYING PARTS

Take a moment to familiarize yourself with the parts of the

product. This will help you to better understand the following

instructions.

FRONT

USB 2.0 Port

Protecting Your Digital Assets

RJ45 Gigabit

Ethernet Connection

RJ45 Gigabit

Ethernet Connection

BACK

Expansion Module

Connector

TM

USB 2.0

Passthrough

Ditto Network Tap Module User Manual

3

1.3 HOW TO USE THE NETWORK TAP MODULE

Use the Network Tap Module with the Source Inputs side of your Ditto or Ditto DX to intercept network

traffic that travels between the target computer and the network it is connected to. The available con

nections include two RJ45 gigabit Ethernet ports and a USB 2.0 port for use with USB storage devices, a

keyboard, or a wifi adapter. Both RJ45 ports are direction agnostic, so it doesn’t matter which port is used

to connect to the network and which is used to connect to the target computer.

-

NOTE

CRU recommends that you switch the power off to your Ditto product when you add or remove a
device from it in order to avoid disk damage and data corruption.

2 SETUP

a. With your Ditto product powered off, insert the Network Tap Module into the Source Inputs side of your

Ditto product.

b. Connect an Ethernet cable connected to your network into one of the RJ45 gigabit Ethernet ports on the

expansion module.

c. Connect another Ethernet cable to the remaining RJ45 gigabit Ethernet port on the expansion module and

connect the other end to your computer.

d. Turn your Ditto product on.

You are ready to start using your Ditto product with the Network Tap Module! You may access its settings

via the Browser Interface (see your Ditto product’s user manual) or via the Front Panel (see Section 3.5).

3 NETWORK TAP FUNCTIONALITY

The Network Tap Module adds several new actions and functions to the Ditto and Ditto DX browser interface

and Front Panel. They are listed below:

3.1 HOME SCREEN

The Network Tap Module adds a “Network Capture” action to Action panel on the “Home” screen of the

Browser Interface. Click on the Home tab to access the “Home” screen from any other area of the Browser

Interface.

The “Network Capture” action provides two methods of capturing network traffic that can be combined and

used simultaneously if you wish. The first method captures network traffic and stores it in a series of incre

mented PCAP files on the local target destination. The second method captures network traffic in real-time

and outputs it to a remote monitor that uses a third-party Wireshark network protocol analyzer. Instructions

for both methods as well as instructions for using them simultaneously can be found below.

3.1.1 PCAP Network Capture

a. Using the Browser Interface, select Network Capture from the “Action to Perform” drop-down

box.

b. Select the network capture filter from the “Network Capture Filter” drop-down box or type in the

ports you wish to capture in the text box directly below. Use the syntax “port ## or ##” without

quotes (e.g. port 80 or 81 or 443).

c. Select “Network Tap” from the “Interface” drop-down box.

Protecting Your Digital Assets

TM

-

Ditto Network Tap Module User Manual

4

d. Select the media from the “Destination” drop-down box that you want Network Tap Module to save

your captured data.

e. Select the partition on the destination media you want to capture to from the “Partition” drop-down

box.

f. Bypass “Live Network Capture” and leave it disabled.

g. Click the Start button to begin capturing network data. When you are fi nished, click the Stop

button.

You can view the log of the network capture action by scrolling down to the “System Log” panel on

the “Home” screen. Find and click on the latest link, which will be denoted by a fi lename with a date/

timestamp format: “S_yyyymmddhhmmss”. Alternatively, you can click on the Logs button from the

top menu bar.

You can view the data retrieved from the network capture action by examining the destination media,

which will contain a folder named with the same data/timestamp format: “S_yyyymmddhhmmss”. This

folder includes the PCAP fi les containing the captured data, an XML fi le containing the log information of

the network capture, and—if hashing is enabled—a TXT fi le that contains each of the generated PCAP

fi les’ MD5 or SHA-1 hash value (see Section 5.1.2 to enable hashing).

3.1.2 Live Network Capture

a. Using the Browser Interface, select Network Capture from the “Action to Perform” drop-down

box.

b. Select the network capture fi lter from the “Network Capture Filter” drop-down box or type in the

ports you wish to capture in the text box directly below. Use the syntax “port ## or ##” without

quotes (e.g. port 80 or 81 or 443)

c. Disregard the “Interface” and “Destination” drop-down boxes.

d. Ensure your third party Wireshark network protocol analyzer is standing by to receive data. If you

need help in confi guring Wireshark itself, click the

ture” for a link to Wireshark’s remote capture documentation.

e. Click the Enable button next to “Live Network Capture” to turn live network capture on. When you

are fi nished capturing network traffi c, click the Disable button.

STOP!

Do NOT click the Start button! This button actually enables the PCAP network capture function that
captures network traffi c to your local destination media. It does NOT enable live network capture.

Figure 1. The “Action” section on the “Home” screen, showing

the options available for the “Network Capture” action.

Information icon next to “Live Network Cap-

Protecting Your Digital Assets

TM