chapter you can find answers to some of the most frequently asked
questions. The latest FAQ is always available at http://www.tamos.com/products/commview/faq.php.
CommView be used for capturing dial-up (RAS) adapter
exactly does CommView "see" when installed on a PC connected to a
CommView enables the network card's promiscuous mode and can
capture network traffic on the local segment of the LAN. In other
words, normally it captures and analyzes packets addressed to all
of the computers on the segment, not only to the one where the
program is running. There are certain limitations for Wireless
Ethernet adapters (you can monitor only inbound/outbound traffic)
and switched networks (see the next question about switches in this
Q. I am
connected to the LAN through a switch, and when I launch CommView,
it captures only the packets sent to and from my machine. I can't
see the traffic of other machines. Why is this so?
hubs, switches prevent promiscuous sniffing. In a switched network
environment, CommView (or any other packet analyzer) is limited to
capturing broadcast and multicast packets and the traffic sent or
received by the PC on which CommView is running. However, most
modern switches support "port mirroring", which is a feature that
allows you to configure the switch to redirect the traffic that
occurs on some or all ports to a designated monitoring port on the
switch. By using this feature, you will able to monitor the entire
LAN segment. We wrote a white
Promiscuous Monitoring in Ethernet and Wi-Fi
Networks, that covers these topics
I am connected to the LAN through a hub, but I can't see other
machines' traffic again, as if it's a switch. Why is this
A. There are
two possible reasons: Either you have a hub that is only labeled as
a hub, but inside is a switch (some vendors like Linksys do that),
or you have a multi-speed hub, in which case you can't see the
traffic from the stations operating at the speed that is different
from your NIC's speed (e.g. if you have a 10 Mbit NIC, you can't
see the traffic generated by 100 Mbit NICs).
have a home LAN connected to the Internet via a broadband router,
and I can see only my own traffic. Is it possible to capture the
traffic of other machines on my home LAN?
A. In brief,
yes. There are a few methods that can help you solve this problem.
For more information and sample network layouts, please refer to
our white paper,
Promiscuous Monitoring in Ethernet and Wi-Fi
CommView capture data from a network adapter that doesn't have an
A. Yes. In
fact, the network adapter does not need to be bound to TCP/IP or
any other protocol. In a situation where you are troubleshooting a
network it might be necessary to be able to plug in the computer
running CommView into an available port on a hub. In such cases you
do not need to guess the IP address available in the LAN segment,
all you need to do is unbind the network adapter from TCP/IP and
start capturing. Open Control Panel => Network Connections,
right-click on the connection icon, select Properties, and uncheck
the boxes corresponding to the protocols you don't want to be bound
to the NIC.
on a LAN with high traffic volume, and it's hard to examine
individual packets when the application is receiving hundreds of
thousands of packets per second, as the old packets are quickly
removed from the circular buffer. Is there anything I can do about
A. Yes, you
can use the Open
current buffer in new window button on the small
toolbar on the Packets
tab. This will
allow you to make snapshots of the current buffer as many times as
you wish, at any intervals. You will then be able to explore the
packets in these new windows at your leisure.
launched the program and clicked "Start Capture", but no packets
are displayed. Why?
are two possible reasons: You either selected an unused network
adapter, or you made a mistake when configuring the capturing
rules. Turn off the rules and see what happens. In any case, even
when the capturing rules are on, the program's status bar should
display the total number of packets, so have a look at it before
noticed that IP/TCP/UDP checksums in the outgoing packets are
incorrect. Why is it so?
Gigabit network adapters have a feature called TCP/UDP/IP "checksum
offload", which allows the network adapter to calculate packet
checksums, thus increasing the system performance and decreasing
CPU utilization. Since CommView intercepts packets before they
reach the network adapter, the checksum appears to be incorrect.
This is normal and the only thing that it might affect is the
reconstruction of TCP sessions and only if you changed the default
"Ignore incorrect checksums" option (see Setting
Options for more information).
CommView run on multi-processor computers?
A. Yes, it
seems to be impossible to save more than 5,000 packets from the
packet buffer. Is there a workaround?
there is no such limitation. The application uses a circular buffer
for storing captured packets. By default, the buffer can contain up
to 5,000 latest packets, but this value can be adjusted in
maximum buffer size is 20,000 packets (the buffer cannot be
unlimited for an obvious reason: your computer's RAM is not
unlimited). You can save the contents of the buffer to a file using
by no means does this limit on the buffer size restrict your
ability to save any number of packets. You simply need to enable
automatic logging on the Logging
automatic logging will make the application dump all the captured
packets to file(s) continuously, and you can set any limit on the
total size of the captured data.
network connection is via a cable/xDSL modem. Will CommView be able
to monitor traffic on it?
A. If your
modem has a dual USB/Ethernet interface and you can connect it to
an Ethernet card, CommView will certainly capture traffic on it. If
it has only a USB interface, the best thing to do is to try.
firewall software warns me that CommView is "attempting to access
the Internet." I am aware that some sites are able to track users
by collecting the information sent by their programs via Internet.
Why does CommView "attempt to access the Internet"?
activities may alert your firewall. First, it may be an attempt to
resolve IP addresses to hostnames. Since CommView has to contact
your DNS servers to make a DNS query, it inevitably triggers the
alarm. You can disable this feature (Settings => Options =>
Disable DNS resolving), but in this case, the Latest IP Connections
tab will not be able to show you the hostnames. Second, you may
have configured the program to check if updates or new versions are
available. To do this, CommView has to connect to
www.tamos.com. You can disable this
feature (Settings => Options => Misc. => Enable automatic
application updates). Third, when you purchase the product, you
need to activate it. If you select online activation, CommView has
to connect to
www.tamos.com. You can avoid this by
selecting manual activation. These are the only types of
connections CommView can potentially make. There are no other
hidden activities. We don't sell spyware.
often logged on as a user without administrative privileges. Do I
have to log off and then re-logon as the administrator to be able
to run CommView?
A. No, you can
open CommView folder, right-click on the CV.exe file while holding
down the Shift key, and select "Run As" from the pop-up menu. Enter
the administrative login and password in the window that pops up
and click OK to run the program. Under Windows Vista and higher,
CommView is automatically launched with elevated rights.
CommView monitor a network adapter when running under Microsoft
Yes. The only
limitation is that promiscuous mode is not available for virtual
adapters, so you'll be limited to capturing your own and broadcast
I monitor my dial-up connection, I don't see any PPP packets during
the session set up (CHAP, LCP, etc). Is this normal?
A. Sorry, PPP
handshaking packets cannot be captured. Note that all other PPP
packets that follow the initial handshaking process are
use WireShark and I noticed that it could no longer capture packets
after CommView had been installed.
A. There is a
known conflict between WinPcap, the driver used in WireShark and
many similar products, and the driver used in CommView. There is a
simple workaround: Start capturing packets with WireShark before
you start capturing packets with CommView. In this case, both
products will be able to capture data simultaneously. If you start
capturing with CommView first, WinPcap will fail to capture any
packets for a reason unknown to us.
reconstructing TCP sessions that contain HTML pages in Japanese or
Chinese, I can't see the original text.
A. To see text
in East Asian languages, you should install East Asian fonts. Open
Control Panel => Regional and Language Options, select the
"Languages" tab, and check the "Install files for East Asian
I save the audio from the VoIP analyzer to a standard .wav or .mp3
directly, but there are many utilities on the market that offer a
"virtual audio cable" that allows saving anything that is played
back through your sound card to a file. Try, for example,
Xilisoft Sound Recorder
(use the "What
you hear" mode).