|
CommView and CommView for WiFi use the data format described below
for writing captured packets to .NCF or .NCFX files. This is an
open data format that you can use for processing log files
generated by CommView in your applications, as well as for
exchanging data with your application directly (this method is
described in this help file).
NCFX Format
This new format was introduced in CommView for WiFi 7.3. Older
CommView for WiFi versions and current CommView (non-Wi-Fi)
versions use the old NCF format described in the corresponding
section below.
Packets are recorded consecutively. Two or more headers, the
structure of which is given below, prepend each packet body. All
header fields with the length exceeding one byte use little-endian
order and are unsigned.
General Header – Mandatory. Length = 20 bytes.
|
Field name
|
Length
(bytes)
|
Description
|
|
Data length
|
4
|
The length of the packet, including the length of this and the
following headers and including the length of the packet contents
(body).
|
|
Year
|
2
|
Packet date (year).
|
|
Month
|
1
|
Packet date (month).
|
|
Day
|
1
|
Packet date (day).
|
|
Hours
|
1
|
Packet time (hours).
|
|
Minutes
|
1
|
Packet time (minutes).
|
|
Seconds
|
1
|
Packet time (seconds).
|
|
Microseconds
|
4
|
Packet time (microseconds).
|
|
Medium type
|
1
|
The type of the packet medium. 0x01 for Wi-Fi packets, 0x00 for
Ethernet packets.
|
|
Decryption flag
|
1
|
0x01 if the packet has already been decrypted by CommView for WiFi
and is being saved in decrypted form. 0x00 otherwise.
|
|
Direction
|
1
|
For Ethernet packets, packet direction: 0x00 for pass-through, 0x01
for inbound, 0x02 for outbound. For Wi-Fi packets, always
0x00.
|
|
Reserved1
|
1
|
Currently unused.
|
|
Reserved2
|
1
|
Currently unused.
|
RF Header – Mandatory. Length = 20 bytes.
|
Field name
|
Length
(bytes)
|
Description
|
|
RF Header length
|
2
|
The length of this header, including the length of all additional
extensions (headers), if any.
|
|
Packet status and modulation
|
2
|
A bitmask where one or several of the following bits are
set:
Bit 0 – the packet is damaged (wrong FCS)
Bit 1 – Packet sent using an HT PHY rate (802.11n)
Bit 2 – Packet sent using an VHT PHY rate (802.11ac)
Bit 3 – Packet sent using an HE PHY rate (802.11ax)
Bit 4 – HE modulation, 0 – OFDM, 1 – OFDMA, valid only if Bit 3 is
set.
|
|
Frequency band
|
2
|
0x40 for 5 GHz, 0x80 for 2.4 GHz.
|
|
Channel
|
2
|
Wi-Fi channel.
|
|
Noise in dBm
|
1
|
Noise level in dBm, as an unsigned value. E.g., -90 dBm is stored
as 90.
|
|
Signal in dBm
|
1
|
Signal level in dBm, as an unsigned value. E.g., -30 dBm is stored
as 30.
|
|
Signal in percent
|
1
|
Signal level as percentage.
|
|
Reserved
|
1
|
Currently unused.
|
|
PHY Rate
|
4
|
PHY data transmission rate in Mbps multiplied by 10.
|
|
Extensions' presence
|
4
|
A bitmask indicating the presence of additional extensions
(headers) following this RF header. For example, if the bits 3, 2,
and 0 are set, then this RF header is followed by an extension of
type 0, then the extension of type 2, and then the extension of
type 3.
|
Currently Supported Extensions
MCS Header Type 0 – Optional. Size = 4 bytes.
Note that the MCS Header Type 0 is never added if you capture
packets using a pre-802.11ac adapter. MCS information is added only
if use 802.11ac or 802.11ax adapters for capturing.
|
Field name
|
Length
(bytes)
|
Description
|
|
MCS Index
|
1
|
MCS index.
|
|
Number of streams
|
1
|
Number of MIMO spatial streams less 1; i.e. the 0x00 value means
one stream.
|
|
Channel width
|
1
|
Channel width.
If bit 4 of the
Packet status and modulation
field equals 0 (OFDM modulation):
0x00 – 20 MHz, 0x01 – 40 MHz, 0x02 – 80 MHz, 0x03 – 160 MHz.
If bit 4 of the
Packet status and modulation
field equals 1 (OFDMA modulation):
0x00 - 26-tone RU, 0x01 – 52-tone RU, 0x02 – 106-tone RU, 0x03 –
242-tone RU,
0x04 – 484-tone RU, 0x05 – 996-tone RU, 0x06 – 1992-tone RU
(996x2-tone RU)
|
|
GI
|
1
|
Guard Interval: 0x00 - 0.8μs, 0x01 - 0.4μs, 0x02 - 1.6μs, 0x03 -
3.2μs
|
The packet body follows the headers. The packet body does not
contain the 4-byte FCS at the end.
Example #1: A 350-byte long beacon packet sent at the legacy PHY
rate of 6 Mbps would be stored as:
[20 bytes of the General Header, in which the
Data length
field is set to 390] + [20 bytes of the RF header, in which
the
RF Header length
field is set to 20 and in which
the Extensions' presence
field is set to 0x00000000] + [350 bytes of the packet
body]
Example #2: A 1002-byte long data packet sent at the VHT PHY rate
of 72.2 Mbps would be stored as:
[20 bytes of the General Header, in which the
Data length
field is set to 1046] + [20 bytes of the RF header, in which
the
RF Header length
field is set to 24 and in which the
Extensions' presence
field is set to 0x00000001] + [4 bytes of the MCS Header] + [1002
bytes of the packet body]
NCF Format
This format is used in CommView (any version) and CommView for WiFi
version 7.2 and older. Newer CommView for WiFi versions (7.3 and
newer) use the NCFX format described in the corresponding section
above.
Packets are recorded consecutively. A 24-byte header, the structure
of which is given below, prepends each packet body. All header
fields with the length exceeding 1 byte use little-endian byte
order.
|
Field name
|
Length
(bytes)
|
Description
|
|
Data Length
|
2
|
The length of the packet body that follows the header
|
|
Source Data Length
|
2
|
The original length of the packet body that follows the header
(without compression). If no compression is being used, the value
of this field is equal to the value of the previous field.
|
|
Version
|
1
|
Packet format version (0 for the current implementation)
|
|
Year
|
2
|
Packet date (year)
|
|
Month
|
1
|
Packet date (month)
|
|
Day
|
1
|
Packet date (day)
|
|
Hours
|
1
|
Packet time (hours)
|
|
Minutes
|
1
|
Packet time (minutes)
|
|
Seconds
|
1
|
Packet time (seconds)
|
|
Microseconds
|
4
|
Packet time (microseconds)
|
|
Flags
|
1
|
Bit flags:
|
Medium
|
0...3
|
Medium type for the packet (0 - Ethernet, 1 - WiFi, 2 - Token
Ring)
|
|
Decrypted
|
4
|
The packet has been decrypted (applicable to WiFi packets
only)
|
|
Broken
|
5
|
The packet was corrupted, i.e. had the incorrect CRC value
(applicable to WiFi packets only)
|
|
Compressed
|
6
|
The packet is stored in compressed form
|
|
Reserved
|
7
|
Reserved
|
|
|
Signal Level
|
1
|
Signal level in percent (applicable to WiFi packets only)
|
|
Rate
|
1
|
Data transmission rate in Mbps multiplied by 2 (applicable to WiFi
packets only)
|
|
Band
|
1
|
Transmission band. 0x01 for 802.11a, 0x02 for 802.11b, 0x04 for
802.11g, 0x08 for 802.11a-turbo, 0x10 for 802.11 SuperG, 0x20 for
4.9 GHz Public Safety, 0x40 for 5 GHz 802.11n/ac, 0x80 for 2.4 GHz
802.11n/ac. (applicable to WiFi packets only)
|
|
Channel
|
1
|
Channel number (applicable to WiFi packets only)
|
|
Direction
|
1
|
For non-WiFi packets, packet direction. 0x00 for pass-through, 0x01
for inbound, 0x02 for outbound. For WiFi packets, the high order
byte for the packet rate, if the one-byte Rate field cannot
accommodate the value (i.e. the value is higher than 255).
|
|
Signal Level (dBm)
|
1
|
Signal level in dBm (applicable to WiFi packets only)
|
|
Noise Level (dBm)
|
1
|
Noise level in dBm (applicable to WiFi packets only)
|
|
Data
|
Variable
|
Packet body (unmodified, as transmitted over the media). If the
compression flag is set, the data is compressed using the publicly
available Zlib 1.1.4 library. The length of this field is recorded
in Data Length.
|
The total header length is 24 bytes.
If packets are stored in compressed form, the
Data Length
field contains the length of data after compression, whilst
the
Source Length
field contains the original data length. If a packet is
uncompressed, both fields contain the same value.
|
