LAN Analyzer and Protocol Decoder - CommView

Prev Page Next Page
About CommView
What's New
Using the Program
Selecting Network Interface for Monitoring
Latest IP Connections
Viewing Logs
Advanced Rules
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Using Remote Agent
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Call Logging
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Sales and Support

Reconstructing TCP Sessions

This tool allows you to view the TCP conversation between two hosts.  To reconstruct a TCP session, you should first select a TCP packet on the Packets tab. Depending on the settings (the Search for the session start when reconstructing TCP sessions box in Settings => Options => Decoding), the session will be reconstructed from the selected packet that may be in the middle of the "conversation" or from the session start. If you want to reconstruct the entire session, it is recommended that you select the first packet in the session; otherwise, the reconstruction may start in the middle of the "conversation". After you locate and select the packet, right-click on it and select Reconstruct TCP Session from the pop-up menu as shown below:


Reconstructing sessions works best for text-based protocols, such as POP3, Telnet, or HTTP. Of course, you can also reconstruct a download of a large zipped file, but it can take CommView a long time to reconstruct several megabytes of data, and the obtained information would be useless in most of the cases. The Contents tab displays the actual session data, while the Session Analysis tab graphically displays the flow of the reconstructed TCP session. A sample HTTP session that contains HTML data displayed in ASCII and HTML modes is shown below:



In HTML display mode, HTML pages never include inline graphics, because in HTTP protocol images are transferred separately from HTML data. To view the images, usually it is necessary to navigate to the next TCP session. A sample HTTP session that contains image data displayed in HTML mode is shown below:


By default, CommView attempts to decompress GZIP'd web content and reconstruct images from binary streams. If you want to turn off this functionality, use the Decoding tab of the program's Options dialog.

You can filter out the data that came from one of the directions by unchecking one of the check boxes on the bottom pane. Incoming and outgoing data are marked by different colors for your convenience. If you want to change one of the colors, click Settings =>Colors and pick a different color. You can enable or disable word wrapping using the Word Wrap item in the Settings menu.

The Display type drop-down list allows you to view data in the ASCII (plain-text data), HEX (hexadecimal data), HTML (web pages and images), EBCDIC (IBM mainframes' data encoding), and UTF-8 (Unicode data) formats. Please note that viewing data as HTML does not necessarily produce exactly the same result as the one you can see in the web browser (e.g. you will not be able to see inline graphics); however, it should give you a good idea of what the original page looked like.

You can choose the default display type for the TCP Session Reconstruction window in the Decoding tab of the program's Options dialog.

The Navigation buttons allow you to search the buffer for the next or previous TCP session. The first forward button (>>) will search for the next session between those two hosts that were involved in the first reconstructed session. The second forward button (>>>) will search for the next session between any two hosts. If you have multiple TCP sessions between the two hosts in the buffer and you'd like to see them all one by one, it is recommended to start the reconstruction from the first session, as the back button (<<) cannot navigate beyond the TCP session that was reconstructed first.

The obtained data can be saved as binary data, HTML, text, or rich text file by clicking File =>Save As… . When saving in text format, the resulting file is a Unicode UTF-16 file. When saving in HTML format, the encoding of the resulting file depends on the currently selected Display type. If HTML is currently selected, the resulting file is an ANSI text file; for all other display types the resulting file is a Unicode UTF-16 file. Note that if you're saving an HTTP session with images, the images in the saved HTML file are stored in the temporary location on your hard drive, so if you want to preserve them, open the saved file in your browser and re-save the file in a format that includes images, such as MHT, before closing CommView.

You can search for a string in the session by clicking Edit => Find… .

Session Analysis

The Session Analysis tab of the TCP Session window graphically displays the reconstructed TCP session. You can see the session data flow, errors, delays, and retransmissions of lost data.

The following data is displayed for every session packet:

· TCP flags.
· Absolute and relative SEQ and ACK values.
· Packet arrival time.
· Delta time between the current and previous packet.
· Packet number in the reconstructed session.

If a packet contains errors, the nature of the error is explained. It appears as a text description along the right edge of the graph. When you move the mouse over a packet, its contents are displayed in a hint window if the packet contains any data. Note that the Display type field affects the way the data is decoded in the hint window. A sample session analysis window is shown below:


The right pane shows some basic statistics for the given session:

Connection Time - the time it took to establish the TCP connection. In other words, it's the three-way TCP handshake time (SYN => SYN ACK => ACK).

Server Response Time - the time elapsed between the initial client request and the server's first data response.

Data Transfer Time - the time between the server's first and final data responses (0 if there was only one server response).

You can save the graphic layout of the reconstructed TCP session as a BMP, GIF, or PNG file by right clicking on the layout and selecting the Save Image As… menu item of the context menu. Sessions with a large number of packets will be split into multiple files.