configure some of the program's options by selecting
=> Options in the menu.
capturing – check this box if you
want CommView to start capturing packets immediately after
launching the program. For systems with multiple adapters, you
should also select the adapter to be used from the drop-down
DNS resolving – check this box if you
don't want CommView to perform reverse DNS lookups of the IP
addresses. If you check it, the Hostname
IP Connections tab will be
numeric port values to service names – check this box if you
want CommView to display service names rather than numbers. For
example, if this box is checked, port 21
and port 23
The program converts numeric values to service names using the
SERVICES file installed by Windows. You can find the SERVICES file
in the \system32\drivers\etc folder. You can edit this file
manually if you want to add more ports/service names.
MAC addresses to aliases – substitute MAC addresses
for aliases on the Packets
assigned to MAC addresses using the Settings
=>MAC Aliases menu command.
IP addresses to aliases – substitute IP addresses
for aliases on the Packets
assigned to IP addresses using the Settings
=>IP Aliases menu command.
IP addresses to hostnames in the "Packets" tab – check this box if you
want CommView to show resolved hostnames rather than IP addresses
in the Packets
tab. If this
box is checked, CommView will first attempt to find an alias for
the given IP address. If no alias is found or the previous box
IP addresses to aliases) is not checked, CommView
will query the internal DNS cache for the hostname. If no hostname
is found, the IP address will be displayed in numeric
vendor names in the MAC addresses – by default, CommView
replaces the first three octets of the MAC address by the adapter
vendor name on the Packets
this checkbox if you want to change this behavior.
non-promiscuous mode – by default, CommView
puts the network adapter in promiscuous mode, which means that the
program captures all traffic in the local LAN segment. Checking
this box switches CommView to non-promiscuous mode, which you
sometimes may want to use, e.g. if your company's IT policy doesn't
allow promiscuous packet monitoring, or to reduce CPU usage in the
situation where you're interested only in your own inbound and
outbound packets and have to filter out many pass-through
when the adapter list has changed – check this box if you
want CommView to display a balloon message in the system tray area
once the number of active network adapters has been
full process path – check this
box if you want to see the full path to the process
sending/receiving packets in the
Latest IP connections tab, as
well as in the decoded packets tree in the
Packets tab (e.g.
is a full path, whereas "Program.exe" is a short path).
friendly adapter names – checking this option
will make CommView display the adapter names in the adapter
selection drop-down list in the tool bar as they appear in the
Windows Network Connections page.
gridlines – makes the program draw
gridlines in all packet lists.
packets in buffer – sets the maximum number
of packets the program stores in the memory and can display in the
packet list (2nd
example, if you set this value to 3000, only the last 3000 packets
will be stored in the memory and packet list. The higher this value
is, the more computer resources the program consumes.
Note that if
you want to have access to a high number of packets, it is
recommended that you use the auto-saving features (see
information): it allows you to dump all the packets to a log file
on the hard drive.
lines in Latest
IP Connections - sets the number of lines
the program displays on the Latest IP Connections tab. When the
number of connections exceeds the limit, the connections that have
been idle for the longest period of time are removed from the
Buffer - sets the driver buffer
size. This setting affects the program's performance: the more
memory allocated for the driver buffer, the fewer packets the
program drops. For low traffic LANs and dial-up connections, the
buffer size is not critical. For high traffic LANs, you may want to
increase the buffer size if the program drops packets. To check the
number of dropped packets, use the File
=> Performance Data menu command while
capturing is on.
Latest IP Connections
allows you to select the Latest IP Connections layout that best
suits your needs. Selecting an item from the drop-down list will
display the description of the selected logic. In most cases, it is
recommended to use the default Smart
Local IP Addresses – you should use this tool
if you monitor LAN traffic with many pass-through packets and a
mixture of external and internal IP addresses. In such a situation
CommView doesn't "know" which IP addresses should be treated as
local and might reverse the IP addresses in the Local and Remote IP
columns. This tool allows you to define the local network addresses
and subnet masks to make sure the Latest IP Connections window
works correctly. This will work only if you use the default
numeric PID to process names – check this box if you'd
like the process ID (PID) shown next to the process name in
color – sets the color for
displaying packets on the Packets tab based on the packet direction
(in, out, pass-through). To change a color, select the packet
direction from the drop-down list and click on the colored
Packet Headers – check this box if you want
CommView to colorize packet contents. If this box is checked, the
program displays the first eight packet layers using different
colors. To change a color, select the type of header for
which you want to change the color and click on the colored
syntax highlighting – sets the colors for
highlighting keywords in formulas in the
byte sequence color – sets the font and
background color for displaying the byte sequence that was selected
in the decoder tree. For example, when you select the "TCP" tree
node, the corresponding part of the packet will be highlighted
using these colors.
fully expand all nodes in the decoder window – check this box if you
would like to have all nodes in the decoder windows automatically
expanded when you select a new packet in the packet
the last nodes – check this box if you
would like to have the last node(s) in the decoder window
automatically expanded when you select a new packet in the packet
list and set the number of nodes to be expanded. By default, the
first node is expanded. This setting has no effect if the
fully expand all nodes in the decoder window box is checked.
level – set the number of levels
to expand. This defines the "depth" of tree node
up to the first level only in ASCII export – this option affects the
decoding format used when you export a packet log or individual
packet as ASCII file with decode. If this box is checked, only the
top-level nodes will be saved. For example, if you save a TCP/IP
packet when this option is disabled, all Type
of service sub-nodes are saved. When
this option is enabled, these sub-nodes are not saved. Checking
this box makes the output ASCII file less detailed and more
incorrect checksums when reconstructing TCP sessions –
affects the way CommView treats malformed TCP/IP packets when
reconstructing TCP sessions. By default, this option is on, and
packets with incorrect checksums are not discarded in the process
of reconstruction. If you turn off this option, packet with
incorrect checksums will be discarded and not displayed in the TCP
reconstruction window. Attention Gigabit card users: all your
outbound packets will have incorrect checksums if the "checksum
offload" feature is present. If you turn off this option, it's
likely that you will see only half of the reconstructed TCP stream.
The same applies to reconstructing loopback sessions, as loopback
packets have zero checksums.
packet numbers when reconstructing TCP sessions –
check this box
if you'd like the chunks of data shown in the TCP session
reconstruction window to be prepended by the packet numbers that
correspond to these chunks of data.
for the session start when reconstructing TCP sessions
if this box is
checked, the program will attempt to find the beginning of the TCP
session when you reconstruct it. If it is not checked, the session
will be reconstructed only from the selected packet, i.e. earlier
packets will be discarded.
GZIP content – check this box if you want
CommView to convert GZIP-compressed HTTP content into readable text
in the TCP Session Reconstruction windows. GZIP content is
decompressed only when the display type in the window is set to
images – check this box if you want
CommView to convert binary HTTP streams that represent images into
viewable JPG, BMP, PNG, and GIF pictures in the TCP Session
Reconstruction windows. Images are shown only when the display type
in the window is set to "HTML". Images are never shown within the
HTML pages to which they belong, as they are transferred by the
server in a separate HTTP session.
IPv4-style endings in IPv6 addresses –
if this box is
not checked, IPv6 addresses are shown using hexadecimal symbols
only, e.g. fe80::02c0:26ff:fe2d:edb5. If this box is checked, the
last 4 bytes of IPv6 addresses are shown using the IPv4-style
dotted notation, e.g. fe80::02c0:26ff:254.45.237.181.
fragmented IP packets –
check this box
if you'd like the program to reassemble IP packets that are
fragmented. By default, fragmented IP packets are displayed as they
were received from the wire, in their original form. If this option
is turned on, the program will maintain an internal buffer of
fragments and will attempt to "glue" them, displaying only the
results of successful reassembly.
to map incoming UDP packets to processes –
the program's packet-to-application mapping system does not try to
map incoming UDP packets to an owning process due to the
probabilistic nature of such mapping. Check this box if you'd
like the program to attempt to map these packets.
display type – select the display type
value from the drop-down list that you want to set as default for
TCP Session Reconstruction function. The available values are
ASCII, HEX, HTML, and EBCDIC.
VoIP analysis module is only available to VoIP license users or
evaluation version users who selected VoIP evaluation mode.
VoIP analysis – disables capture and
analysis of VoIP data. Check this box if you don't plan to work
with VoIP and want to minimize the usage of computer resources by
records in the list – limits the number of
displayed and processed VoIP events. When the number of records
exceed the specified limit, older records are deleted from the
Ignore orphan RTP
streams – when this box is
checked, VoIP analyzer will ignore captured RTP data streams that
don't have a parent signaling session. Orphan RTP streams typically
appear if packet capturing was started in the middle of a call, or
the signaling protocol is unknown to the application (i.e. not SIP
and not H.323), or the signaling protocol was sent in a
non-standard manner (e.g. encrypted or as part of some other
session). Such streams are still available for analysis, and
sometimes for playback. Please see the
Playback chapter for more detailed
information on playing VoIP calls. If you are not interested in
such orphan streams and want to save
on computer resources, please disable this option. Note that when
orphan streams are not ignored, VoIP analyzer may mistakenly
identify data transferred over UDP protocol as RTP streams.
Generally, this is not an error, as RTP packets don't have a
standard uniform signature, so such "false positives" are
IP-to-country mapping for IP addresses. When this functionality is
enabled, CommView checks the internal database to provide
information on the country any IP address belongs to. You can
configure the program to show ISO
country code, Country
flag next to any IP address.
You can also disable geolocation. For some IP addresses, such as
reserved ones (e.g. 192.168.*.* or 10.*.*.*) no information on the
country can be provided. In such cases, the country name is not
shown, or if you use the Country
flag option, a flag with a
question mark is displayed.
allocation is constantly changing, it's important that you always
have an up-to-date version of CommView. A fresh, up-to-date
database is included in every CommView build. A fresh database has
98% accuracy. Without updates, the accuracy percentage falls by
approximately 15% every year.
from the taskbar on minimization - check this box if you
don't want to see the program's button on the Windows taskbar when
you minimize the program. If this box is checked, use the program's
system tray icon to restore it after minimization.
multiple application instances – check this box if you
would like have multiple CommView instances running simultaneously
to be able to capture traffic going through different adapters.
This option is not available under Windows 95.
for confirmation when exiting the application – check this box if you
would like the program to ask you for a confirmation when you close
packet data window - if this box is checked,
the program scrolls the text of the packet data window
automatically when you select a new packet from the packets list
(but only if the text does not fit into the window). This is useful
when you want to see the contents of a long packet without manually
scrolling the window.
packet list to the last packet - if this box is checked,
the program automatically scrolls the packet list in the
tab down to
the last received packet.
new records in Latest IP Connections - if this box is checked,
the program auto-sorts new records on the Latest IP Connections tab
based on the user-defined sorting criterion (e.g. ascending
order of remote IP addresses).
CPU utilization control – if this box is checked,
the program tries to decrease CPU utilization when capturing
high-volume traffic by decreasing the quality and frequency of the
Windows startup - if this box is checked,
the program is launched automatically every time you start Windows.
Under Windows Vista and higher, this box is disabled if UAC is
enabled. This is a limitation of Windows Vista and newer Windows
versions that prevents applications with elevated rights from
loading on startup. If this feature is important, disable
minimized - if this box is checked,
the program is launched minimized and the main window is not
displayed until you click on the tray icon or taskbar
automatic application updates – check this box to let
the program connect to the TamoSoft Web site periodically and check
for updates. Use the Interval
between checks box to configure how often
the checks should be made.
This tab is
used by 3-rd party plug-ins for performing configuration tasks.