chapter you can find answers to some of the most frequently asked
questions. The latest FAQ is always available at http://www.tamos.com/products/commview/faq.php.
CommView be used for capturing dial-up (RAS) adapter
Q. What exactly does CommView "see" when installed on a PC
connected to a LAN?
CommView enables the network card's promiscuous mode and can
capture network traffic on the local segment of the LAN. In other
words, normally it captures and analyzes packets addressed to all
of the computers on the segment, not only to the one where the
program is running. There are certain limitations for Wireless
Ethernet adapters (you can monitor only inbound/outbound traffic)
and switched networks (see the next question about switches in this
Q. I am connected to the LAN through a switch, and when I launch
CommView, it captures only the packets sent to and from my machine.
I can't see the traffic of other machines. Why is this so?
hubs, switches prevent promiscuous sniffing. In a switched network
environment, CommView (or any other packet analyzer) is limited to
capturing broadcast and multicast packets and the traffic sent or
received by the PC on which CommView is running. However, most
modern switches support "port mirroring", which is a feature that
allows you to configure the switch to redirect the traffic that
occurs on some or all ports to a designated monitoring port on the
switch. By using this feature, you will able to monitor the entire
LAN segment. We wrote a white
Promiscuous Monitoring in Ethernet and Wi-Fi
Networks, that covers these topics
I am connected to the LAN through a hub, but I can't see other
machines' traffic again, as if it's a switch. Why is this
A. There are two possible
reasons: Either you have a hub that is only labeled as a hub, but
inside is a switch (some vendors like Linksys do that), or you have
a multi-speed hub, in which case you can't see the traffic from the
stations operating at the speed that is different from your NIC's
speed (e.g. if you have a 10 Mbit NIC, you can't see the traffic
generated by 100 Mbit NICs).
have a home LAN connected to the Internet via a broadband router,
and I can see only my own traffic. Is it possible to capture the
traffic of other machines on my home LAN?
A. In brief, yes. There
are a few methods that can help you solve this problem. For more
information and sample network layouts, please refer to our white
Promiscuous Monitoring in Ethernet and Wi-Fi
Q. Can CommView capture data from a network adapter that doesn't
have an IP address?
A. Yes. In
fact, the network adapter does not need to be bound to TCP/IP or
any other protocol. In a situation where you are troubleshooting a
network it might be necessary to be able to plug in the computer
running CommView into an available port on a hub. In such cases you
do not need to guess the IP address available in the LAN segment,
all you need to do is unbind the network adapter from TCP/IP and
start capturing. Open Control Panel => Network Connections,
right-click on the connection icon, select Properties, and uncheck
the boxes corresponding to the protocols you don't want to be bound
to the NIC.
on a LAN with high traffic volume, and it's hard to examine
individual packets when the application is receiving hundreds of
thousands of packets per second, as the old packets are quickly
removed from the circular buffer. Is there anything I can do about
A. Yes, you can use
current buffer in new window button on the small
toolbar on the Packets
tab. This will
allow you to make snapshots of the current buffer as many times as
you wish, at any intervals. You will then be able to explore the
packets in these new windows at your leisure.
Q. I launched the program and clicked "Start Capture", but no
packets are displayed. Why?
are two possible reasons: You either selected an unused network
adapter, or you made a mistake when configuring the capturing
rules. Turn off the rules and see what happens. In any case, even
when the capturing rules are on, the program's status bar should
display the total number of packets, so have a look at it before
Q. I noticed that IP/TCP/UDP checksums in the outgoing packets are
incorrect. Why is it so?
Gigabit network adapters have a feature called TCP/UDP/IP "checksum
offload", which allows the network adapter to calculate packet
checksums, thus increasing the system performance and decreasing
CPU utilization. Since CommView intercepts packets before they
reach the network adapter, the checksum appears to be incorrect.
This is normal and the only thing that it might affect is the
reconstruction of TCP sessions and only if you changed the default
"Ignore incorrect checksums" option (see Setting
Options for more information).
Q. Does CommView run on multi-processor computers?
A. Yes, it
seems to be impossible to save more than 5,000 packets from the
packet buffer. Is there a workaround?
A. Actually, there is no
such limitation. The application uses a circular buffer for storing
captured packets. By default, the buffer can contain up to 5,000
latest packets, but this value can be adjusted in the
maximum buffer size is 20,000 packets (the buffer cannot be
unlimited for an obvious reason: your computer's RAM is not
unlimited). You can save the contents of the buffer to a file using
by no means does this limit on the buffer size restrict your
ability to save any number of packets. You simply need to enable
automatic logging on the Logging
automatic logging will make the application dump all the captured
packets to file(s) continuously, and you can set any limit on the
total size of the captured data.
Q. My network connection is via a cable/xDSL modem. Will CommView
be able to monitor traffic on it?
A. If your
modem has a dual USB/Ethernet interface and you can connect it to
an Ethernet card, CommView will certainly capture traffic on it. If
it has only a USB interface, the best thing to do is to try.
Q. My firewall software warns me that CommView is "attempting to
access the Internet." I am aware that some sites are able to track
users by collecting the information sent by their programs via
Internet. Why does CommView "attempt to access the
A. Three activities may
alert your firewall. First, it may be an attempt to resolve IP
addresses to hostnames. Since CommView has to contact your DNS
servers to make a DNS query, it inevitably triggers the alarm. You
can disable this feature (Settings => Options => Disable DNS
resolving), but in this case, the Latest IP Connections tab will
not be able to show you the hostnames. Second, you may have
configured the program to check if updates or new versions are
available. To do this, CommView has to connect to
www.tamos.com. You can disable this
feature (Settings => Options => Misc. => Enable automatic
application updates). Third, when you purchase the product, you
need to activate it. If you select online activation, CommView has
to connect to
www.tamos.com. You can avoid this by
selecting manual activation. These are the only types of
connections CommView can potentially make. There are no other
hidden activities. We don't sell spyware.
often logged on as a user without administrative privileges. Do I
have to log off and then re-logon as the administrator to be able
to run CommView?
A. No, you can open
CommView folder, right-click on the CV.exe file while holding down
the Shift key, and select "Run As" from the pop-up menu. Enter the
administrative login and password in the window that pops up and
click OK to run the program. Under Windows Vista and higher,
CommView is automatically launched with elevated rights.
CommView monitor a network adapter when running under Microsoft
Yes. The only
limitation is that promiscuous mode is not available for virtual
adapters, so you'll be limited to capturing your own and broadcast
I monitor my dial-up connection, I don't see any PPP packets during
the session set up (CHAP, LCP, etc). Is this normal?
A. Sorry, PPP handshaking
packets cannot be captured. Note that all other PPP packets that
follow the initial handshaking process are captured.
use WireShark and I noticed that it could no longer capture packets
after CommView had been installed.
A. There is a known
conflict between WinPcap, the driver used in WireShark and many
similar products, and the driver used in CommView. There is a
simple workaround: Start capturing packets with WireShark before
you start capturing packets with CommView. In this case, both
products will be able to capture data simultaneously. If you start
capturing with CommView first, WinPcap will fail to capture any
packets for a reason unknown to us.
reconstructing TCP sessions that contain HTML pages in Japanese or
Chinese, I can't see the original text.
A. To see text in East
Asian languages, you should install East Asian fonts. Open Control
Panel => Regional and Language Options, select the "Languages"
tab, and check the "Install files for East Asian languages"
confused about the license types available for CommView. Could you
explain the difference between the license types?
A. There are three
CommView license types:
more expensive VoIP License grants you the right to use the program
anywhere for any commercial or noncommercial purpose and enables
all the application features, including VoIP analyzer.
less expensive Enterprise License grants you the right to use the
program anywhere for any commercial or noncommercial purpose,
excluding the VoIP analyzer.
least expensive Home License grants you the right to use the
program at home for noncommercial purposes. If you use CommView to
monitor your home network, the maximum number of hosts in your LAN
this license allows you to monitor cannot exceed ten. The Home
license wouldn't allow you to connect to CommView Remote Agents.
The Home license wouldn't allow you to capture loopback traffic.
The Home license doesn't enable VoIP analyzer.
Enterprise License is also available as a One Year Subscription,
which is a time-limited license valid for one year from the date of
Please refer to the End
User License Agreement that comes with the product for other
licensing terms and conditions.
I save the audio from the VoIP analyzer to a standard .wav or .mp3
A. Not directly, but there
are many utilities on the market that offer a "virtual audio cable"
that allows saving anything that is played back through your sound
card to a file. Try, for example,
Xilisoft Sound Recorder
(use the "What
you hear" mode).