LAN Analyzer and Protocol Decoder - CommView

Prev Page Next Page
About CommView
What's New
Using the Program
Selecting Network Interface for Monitoring
Latest IP Connections
Viewing Logs
Advanced Rules
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Using Remote Agent
Capturing Decrypted SSL Traffic
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Call Logging
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
How to Purchase CommView

Setting Options

You can configure some of the program's options by selecting Settings => Options in the menu.


Auto-start capturing – check this box if you want CommView to start capturing packets immediately after launching the program. For systems with multiple adapters, you should also select the adapter to be used from the drop-down list.


Disable DNS resolving – check this box if you don't want CommView to perform reverse DNS lookups of the IP addresses. If you check it, the Hostname column on the Latest IP Connections tab will be blank.

Convert numeric port values to service names – check this box if you want CommView to display service names rather than numbers. For example, if this box is checked, port 21 is shown as ftp, and port 23 as telnet. The program converts numeric values to service names using the SERVICES file installed by Windows. You can find the SERVICES file in the \system32\drivers\etc folder. You can edit this file manually if you want to add more ports/service names.

Convert MAC addresses to aliases – substitute MAC addresses for aliases on the Packets tab. Aliases can be assigned to MAC addresses using the Settings =>MAC Aliases menu command.

Convert IP addresses to aliases – substitute IP addresses for aliases on the Packets and Statistics tabs. Aliases can be assigned to IP addresses using the Settings =>IP Aliases menu command.

Convert IP addresses to hostnames in the "Packets" tab – check this box if you want CommView to show resolved hostnames rather than IP addresses in the Packets tab. If this box is checked, CommView will first attempt to find an alias for the given IP address. If no alias is found or the previous box (Convert IP addresses to aliases) is not checked, CommView will query the internal DNS cache for the hostname. If no hostname is found, the IP address will be displayed in numeric form.

Display vendor names in the MAC addresses – by default, CommView replaces the first three octets of the MAC address by the adapter vendor name on the Packets tab. Uncheck this checkbox if you want to change this behavior.

Use non-promiscuous mode – by default, CommView puts the network adapter in promiscuous mode, which means that the program captures all traffic in the local LAN segment. Checking this box switches CommView to non-promiscuous mode, which you sometimes may want to use, e.g. if your company's IT policy doesn't allow promiscuous packet monitoring, or to reduce CPU usage in the situation where you're interested only in your own inbound and outbound packets and have to filter out many pass-through packets.

Notify when the adapter list has changed – check this box if you want CommView to display a balloon message in the system tray area once the number of active network adapters has been changed.

Display full process path check this box if you want to see the full path to the process sending/receiving packets in the Latest IP connections tab, as well as in the decoded packets tree in the Packets tab (e.g. "C:\Files\Program.exe" is a full path, whereas "Program.exe" is a short path).

Display friendly adapter names – checking this option will make CommView display the adapter names in the adapter selection drop-down list in the tool bar as they appear in the Windows Network Connections page.

Show gridlines – makes the program draw gridlines in all packet lists.

Memory Usage


Maximum packets in buffer – sets the maximum number of packets the program stores in the memory and can display in the packet list (2nd tab). For example, if you set this value to 3000, only the last 3000 packets will be stored in the memory and packet list. The higher this value is, the more computer resources the program consumes.

Note that if you want to have access to a high number of packets, it is recommended that you use the auto-saving features (see Logging for more information): it allows you to dump all the packets to a log file on the hard drive.

Maximum lines in Latest IP Connections - sets the number of lines the program displays on the Latest IP Connections tab. When the number of connections exceeds the limit, the connections that have been idle for the longest period of time are removed from the list.

Driver Buffer - sets the driver buffer size. This setting affects the program's performance: the more memory allocated for the driver buffer, the fewer packets the program drops. For low traffic LANs and dial-up connections, the buffer size is not critical. For high traffic LANs, you may want to increase the buffer size if the program drops packets. To check the number of dropped packets, use the File => Performance Data menu command while capturing is on.

Latest IP Connections

Display Logic – allows you to select the Latest IP Connections layout that best suits your needs. Selecting an item from the drop-down list will display the description of the selected logic. In most cases, it is recommended to use the default Smart logic.

Define Local IP Addresses – you should use this tool if you monitor LAN traffic with many pass-through packets and a mixture of external and internal IP addresses. In such a situation CommView doesn't "know" which IP addresses should be treated as local and might reverse the IP addresses in the Local and Remote IP columns. This tool allows you to define the local network addresses and subnet masks to make sure the Latest IP Connections window works correctly. This will work only if you use the default Smart logic.

Add numeric PID to process names – check this box if you'd like the process ID (PID) shown next to the process name in the Process column.


Packet color – sets the color for displaying packets on the Packets tab based on the packet direction (in, out, pass-through). To change a color, select the packet direction from the drop-down list and click on the colored rectangular.

Colorize Packet Headers – check this box if you want CommView to colorize packet contents. If this box is checked, the program displays the first eight packet layers using different colors.  To change a color, select the type of header for which you want to change the color and click on the colored rectangular.

Formula syntax highlighting – sets the colors for highlighting keywords in formulas in the Advanced Rules window.

Selected byte sequence color – sets the font and background color for displaying the byte sequence that was selected in the decoder tree. For example, when you select the "TCP" tree node, the corresponding part of the packet will be highlighted using these colors.


Always fully expand all nodes in the decoder window – check this box if you would like to have all nodes in the decoder windows automatically expanded when you select a new packet in the packet list.

Expand the last nodes – check this box if you would like to have the last node(s) in the decoder window automatically expanded when you select a new packet in the packet list and set the number of nodes to be expanded. By default, the first node is expanded. This setting has no effect if the Always fully expand all nodes in the decoder window box is checked.

Expand level – set the number of levels to expand. This defines the "depth" of tree node expansion.

Decode up to the first level only in ASCII export – this option affects the decoding format used when you export a packet log or individual packet as ASCII file with decode. If this box is checked, only the top-level nodes will be saved. For example, if you save a TCP/IP packet when this option is disabled, all Type of service sub-nodes are saved. When this option is enabled, these sub-nodes are not saved. Checking this box makes the output ASCII file less detailed and more compact.

Ignore incorrect checksums when reconstructing TCP sessions – this option affects the way CommView treats malformed TCP/IP packets when reconstructing TCP sessions. By default, this option is on, and packets with incorrect checksums are not discarded in the process of reconstruction. If you turn off this option, packet with incorrect checksums will be discarded and not displayed in the TCP reconstruction window. Attention Gigabit card users: all your outbound packets will have incorrect checksums if the "checksum offload" feature is present. If you turn off this option, it's likely that you will see only half of the reconstructed TCP stream. The same applies to reconstructing loopback sessions, as loopback packets have zero checksums.

Include packet numbers when reconstructing TCP sessions check this box if you'd like the chunks of data shown in the TCP session reconstruction window to be prepended by the packet numbers that correspond to these chunks of data.

Search for the session start when reconstructing TCP sessions if this box is checked, the program will attempt to find the beginning of the TCP session when you reconstruct it. If it is not checked, the session will be reconstructed only from the selected packet, i.e. earlier packets will be discarded.

Decompress GZIP content – check this box if you want CommView to convert GZIP-compressed HTTP content into readable text in the TCP Session Reconstruction windows. GZIP content is decompressed only when the display type in the window is set to "ASCII".

Reconstruct images – check this box if you want CommView to convert binary HTTP streams that represent images into viewable JPG, BMP, PNG, and GIF pictures in the TCP Session Reconstruction windows. Images are shown only when the display type in the window is set to "HTML". Images are never shown within the HTML pages to which they belong, as they are transferred by the server in a separate HTTP session.

Use IPv4-style endings in IPv6 addresses if this box is not checked, IPv6 addresses are shown using hexadecimal symbols only, e.g. fe80::02c0:26ff:fe2d:edb5. If this box is checked, the last 4 bytes of IPv6 addresses are shown using the IPv4-style dotted notation, e.g. fe80::02c0:26ff:

Reassemble fragmented IP packets check this box if you'd like the program to reassemble IP packets that are fragmented. By default, fragmented IP packets are displayed as they were received from the wire, in their original form. If this option is turned on, the program will maintain an internal buffer of fragments and will attempt to "glue" them, displaying only the results of successful reassembly.

Attempt to map incoming UDP packets to processes by default, the program's packet-to-application mapping system does not try to map incoming UDP packets to an owning process due to the  probabilistic nature of such mapping. Check this box if you'd like the program to attempt to map these packets.

Default display type – select the display type value from the drop-down list that you want to set as default for TCP Session Reconstruction function. The available values are ASCII, HEX, HTML, and EBCDIC.


Note: The VoIP analysis module is only available to VoIP license users or evaluation version users who selected VoIP evaluation mode.

Disable VoIP analysis – disables capture and analysis of VoIP data. Check this box if you don't plan to work with VoIP and want to minimize the usage of computer resources by the application.

Maximum records in the list – limits the number of displayed and processed VoIP events. When the number of records exceed the specified limit, older records are deleted from the lists.

Ignore orphan RTP streams – when this box is checked, VoIP analyzer will ignore captured RTP data streams that don't have a parent signaling session. Orphan RTP streams typically appear if packet capturing was started in the middle of a call, or the signaling protocol is unknown to the application (i.e. not SIP and not H.323), or the signaling protocol was sent in a non-standard manner (e.g. encrypted or as part of some other session). Such streams are still available for analysis, and sometimes for playback. Please see the Call Playback chapter for more detailed information on playing VoIP calls. If you are not interested in such orphan streams and want to save on computer resources, please disable this option. Note that when orphan streams are not ignored, VoIP analyzer may mistakenly identify data transferred over UDP protocol as RTP streams. Generally, this is not an error, as RTP packets don't have a standard uniform signature, so such "false positives" are ok.


Geolocation is IP-to-country mapping for IP addresses. When this functionality is enabled, CommView checks the internal database to provide information on the country any IP address belongs to. You can configure the program to show ISO country code, Country name, or Country flag next to any IP address. You can also disable geolocation. For some IP addresses, such as reserved ones (e.g. 192.168.*.* or 10.*.*.*) no information on the country can be provided. In such cases, the country name is not shown, or if you use the Country flag option, a flag with a question mark is displayed.

As IP allocation is constantly changing, it's important that you always have an up-to-date version of CommView. A fresh, up-to-date database is included in every CommView build. A fresh database has 98% accuracy. Without updates, the accuracy percentage falls by approximately 15% every year.


Hide from the taskbar on minimization - check this box if you don't want to see the program's button on the Windows taskbar when you minimize the program. If this box is checked, use the program's system tray icon to restore it after minimization.

Allow multiple application instances – check this box if you would like have multiple CommView instances running simultaneously to be able to capture traffic going through different adapters. This option is not available under Windows 95.

Prompt for confirmation when exiting the application – check this box if you would like the program to ask you for a confirmation when you close it.

Auto-scroll packet data window - if this box is checked, the program scrolls the text of the packet data window automatically when you select a new packet from the packets list (but only if the text does not fit into the window). This is useful when you want to see the contents of a long packet without manually scrolling the window.

Auto-scroll packet list to the last packet - if this box is checked, the program automatically scrolls the packet list in the Packets tab down to the last received packet.

Auto-sort new records in Latest IP Connections - if this box is checked, the program auto-sorts new records on the Latest IP Connections tab based on the user-defined sorting criterion  (e.g. ascending order of remote IP addresses).

Smart CPU utilization control – if this box is checked, the program tries to decrease CPU utilization when capturing high-volume traffic by decreasing the quality and frequency of the screen updates.

Run on Windows startup - if this box is checked, the program is launched automatically every time you start Windows. Under Windows Vista and higher, this box is disabled if UAC is enabled. This is a limitation of Windows Vista and newer Windows versions that prevents applications with elevated rights from loading on startup. If this feature is important, disable UAC.

Run minimized - if this box is checked, the program is launched minimized and the main window is not displayed until you click on the tray icon or taskbar button.

Enable automatic application updates – check this box to let the program connect to the TamoSoft Web site periodically and check for updates. Use the Interval between checks box to configure how often the checks should be made.


This tab is used by 3-rd party plug-ins for performing configuration tasks. Please see Custom Decoding chapter for more information.