LAN Analyzer and Protocol Decoder - CommView

Prev Page Next Page
About CommView
What's New
Using the Program
Selecting Network Interface for Monitoring
Latest IP Connections
Viewing Logs
Advanced Rules
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Using Remote Agent
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Call Logging
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Sales and Support

Frequently Asked Questions

In this chapter you can find answers to some of the most frequently asked questions. The latest FAQ is always available at http://www.tamos.com/products/commview/faq.php.

Q. Can CommView be used for capturing dial-up (RAS) adapter traffic?

A. Yes.

Q. What exactly does CommView "see" when installed on a PC connected to a LAN?

A. CommView enables the network card's promiscuous mode and can capture network traffic on the local segment of the LAN. In other words, normally it captures and analyzes packets addressed to all of the computers on the segment, not only to the one where the program is running. There are certain limitations for Wireless Ethernet adapters (you can monitor only inbound/outbound traffic) and switched networks (see the next question about switches in this FAQ).

Q. I am connected to the LAN through a switch, and when I launch CommView, it captures only the packets sent to and from my machine. I can't see the traffic of other machines. Why is this so?

A. Unlike hubs, switches prevent promiscuous sniffing. In a switched network environment, CommView (or any other packet analyzer) is limited to capturing broadcast and multicast packets and the traffic sent or received by the PC on which CommView is running. However, most modern switches support "port mirroring", which is a feature that allows you to configure the switch to redirect the traffic that occurs on some or all ports to a designated monitoring port on the switch. By using this feature, you will able to monitor the entire LAN segment. We wrote a white paper, Promiscuous Monitoring in Ethernet and Wi-Fi Networks, that covers these topics in detail.

Q. Ok, I am connected to the LAN through a hub, but I can't see other machines' traffic again, as if it's a switch. Why is this so?

A. There are two possible reasons: Either you have a hub that is only labeled as a hub, but inside is a switch (some vendors like Linksys do that), or you have a multi-speed hub, in which case you can't see the traffic from the stations operating at the speed that is different from your NIC's speed (e.g. if you have a 10 Mbit NIC, you can't see the traffic generated by 100 Mbit NICs).

Q. I have a home LAN connected to the Internet via a broadband router, and I can see only my own traffic. Is it possible to capture the traffic of other machines on my home LAN?

A. In brief, yes. There are a few methods that can help you solve this problem. For more information and sample network layouts, please refer to our white paper, Promiscuous Monitoring in Ethernet and Wi-Fi Networks.

Q. Can CommView capture data from a network adapter that doesn't have an IP address?

A. Yes. In fact, the network adapter does not need to be bound to TCP/IP or any other protocol. In a situation where you are troubleshooting a network it might be necessary to be able to plug in the computer running CommView into an available port on a hub. In such cases you do not need to guess the IP address available in the LAN segment, all you need to do is unbind the network adapter from TCP/IP and start capturing. Open Control Panel => Network Connections, right-click on the connection icon, select Properties, and uncheck the boxes corresponding to the protocols you don't want to be bound to the NIC.

Q. I'm on a LAN with high traffic volume, and it's hard to examine individual packets when the application is receiving hundreds of thousands of packets per second, as the old packets are quickly removed from the circular buffer. Is there anything I can do about it?

A. Yes, you can use the Open current buffer in new window button on the small toolbar on the Packets tab. This will allow you to make snapshots of the current buffer as many times as you wish, at any intervals. You will then be able to explore the packets in these new windows at your leisure.

Q. I launched the program and clicked "Start Capture", but no packets are displayed. Why?

A. There are two possible reasons: You either selected an unused network adapter, or you made a mistake when configuring the capturing rules. Turn off the rules and see what happens. In any case, even when the capturing rules are on, the program's status bar should display the total number of packets, so have a look at it before panicking.

Q. I noticed that IP/TCP/UDP checksums in the outgoing packets are incorrect. Why is it so?

A. New Gigabit network adapters have a feature called TCP/UDP/IP "checksum offload", which allows the network adapter to calculate packet checksums, thus increasing the system performance and decreasing CPU utilization. Since CommView intercepts packets before they reach the network adapter, the checksum appears to be incorrect. This is normal and the only thing that it might affect is the reconstruction of TCP sessions and only if you changed the default "Ignore incorrect checksums" option (see Setting Options for more information).

Q. Does CommView run on multi-processor computers?

A. Yes, it does.

Q. It seems to be impossible to save more than 5,000 packets from the packet buffer. Is there a workaround?

A. Actually, there is no such limitation. The application uses a circular buffer for storing captured packets. By default, the buffer can contain up to 5,000 latest packets, but this value can be adjusted in the Settings window. The maximum buffer size is 20,000 packets (the buffer cannot be unlimited for an obvious reason: your computer's RAM is not unlimited). You can save the contents of the buffer to a file using the Logging tab. However, by no means does this limit on the buffer size restrict your ability to save any number of packets. You simply need to enable automatic logging on the Logging tab. Such automatic logging will make the application dump all the captured packets to file(s) continuously, and you can set any limit on the total size of the captured data.

Q. My network connection is via a cable/xDSL modem. Will CommView be able to monitor traffic on it?

A. If your modem has a dual USB/Ethernet interface and you can connect it to an Ethernet card, CommView will certainly capture traffic on it. If it has only a USB interface, the best thing to do is to try.

Q. My firewall software warns me that CommView is "attempting to access the Internet." I am aware that some sites are able to track users by collecting the information sent by their programs via Internet. Why does CommView "attempt to access the Internet"?

A. Three activities may alert your firewall. First, it may be an attempt to resolve IP addresses to hostnames. Since CommView has to contact your DNS servers to make a DNS query, it inevitably triggers the alarm. You can disable this feature (Settings => Options => Disable DNS resolving), but in this case, the Latest IP Connections tab will not be able to show you the hostnames. Second, you may have configured the program to check if updates or new versions are available. To do this, CommView has to connect to www.tamos.com. You can disable this feature (Settings => Options => Misc. => Enable automatic application updates). Third, when you purchase the product, you need to activate it. If you select online activation, CommView has to connect to www.tamos.com. You can avoid this by selecting manual activation. These are the only types of connections CommView can potentially make. There are no other hidden activities. We don't sell spyware.

Q. I'm often logged on as a user without administrative privileges. Do I have to log off and then re-logon as the administrator to be able to run CommView?

A. No, you can open CommView folder, right-click on the CV.exe file while holding down the Shift key, and select "Run As" from the pop-up menu. Enter the administrative login and password in the window that pops up and click OK to run the program. Under Windows Vista and higher, CommView is automatically launched with elevated rights.

Q. Can CommView monitor a network adapter when running under Microsoft Virtual PC?

A. Yes. The only limitation is that promiscuous mode is not available for virtual adapters, so you'll be limited to capturing your own and broadcast packets only.

Q. When I monitor my dial-up connection, I don't see any PPP packets during the session set up (CHAP, LCP, etc). Is this normal?

A. Sorry, PPP handshaking packets cannot be captured. Note that all other PPP packets that follow the initial handshaking process are captured.

Q. I use WireShark and I noticed that it could no longer capture packets after CommView had been installed.

A. There is a known conflict between WinPcap, the driver used in WireShark and many similar products, and the driver used in CommView. There is a simple workaround: Start capturing packets with WireShark before you start capturing packets with CommView. In this case, both products will be able to capture data simultaneously. If you start capturing with CommView first, WinPcap will fail to capture any packets for a reason unknown to us.

Q. When reconstructing TCP sessions that contain HTML pages in Japanese or Chinese, I can't see the original text.

A. To see text in East Asian languages, you should install East Asian fonts. Open Control Panel => Regional and Language Options, select the "Languages" tab, and check the "Install files for East Asian languages" box.

Q. Can I save the audio from the VoIP analyzer to a standard .wav or .mp3 file?

A. Not directly, but there are many utilities on the market that offer a "virtual audio cable" that allows saving anything that is played back through your sound card to a file. Try, for example, Xilisoft Sound Recorder (use the "What you hear" mode).