WLAN Analyzer and Decoder - CommView for WiFi

Prev Page Next Page
About CommView for WiFi
What's New
Using the Program
Driver Installation
Main Menu
AP and Station Details Window
Latest IP Connections
Viewing Logs
Advanced Rules
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Node Reassociation
Using Remote Agent for WiFi
Using Aruba Remote Capture
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations, Endpoints, and Errors
Call Logging and Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Monitoring 802.11n, 802.11ac, and 802.11ax Networks
Understanding CRC and ICV Errors
Understanding WPA Decryption
Understanding Signal Strength
Capturing A-MPDU and A-MSDU Packets
Using CommView for WiFi in a Virtual Machine
Multi-Channel Capturing
Spectrum Analysis
Capturing High Volume Traffic
Running CommView for WiFi in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
How to Purchase CommView for WiFi

Setting Options

You can configure some of the program's options by selecting Settings => Options in the menu.


Auto-start capturing – check this box if you want CommView to start capturing packets immediately after launching the program. Please select the channel that you would like to monitor from the drop-down list.

Disable DNS resolving – check this box if you don't want CommView to perform reverse DNS lookups of the IP addresses. If you check it, the Hostname column on the Latest IP Connections tab will be blank.

Convert numeric port values to service names  – check this box if you want CommView to display service names rather than numbers. For example, if this box is checked, port 21 is shown as ftp, and port 23 as telnet. The program converts numeric values to service names using the SERVICES file installed by Windows. You can find it in the C:\Windows\system32\drivers\etc folder. You can edit this file manually if you want to add more ports/service names.

Convert MAC addresses to aliases – substitute MAC addresses for aliases on the Packets tab. Aliases can be assigned to MAC addresses using the Settings =>MAC Aliases menu command.

Convert IP addresses to aliases – substitute IP addresses for aliases on the Packets and Statistics tabs. Aliases can be assigned to IP addresses using the Settings =>IP Aliases menu command.

Convert IP addresses to hostnames in the "Packets" tab – check this box if you want CommView to show resolved hostnames rather than IP addresses in the Packets tab. If this box is checked, CommView will first attempt to find an alias for the given IP address. If no alias is found or the previous box (Convert IP addresses to aliases) is not checked, CommView will query the internal DNS cache for the hostname. If no hostname is found, the IP address will be displayed in numeric form.

Display vendor names in the MAC addresses – by default, CommView replaces the first three octets of the MAC address by the adapter vendor name in the Packets tab. Uncheck this checkbox if you want to change this behavior.

Capture Damaged Packets – because of the distance, radio interference, and other physical phenomena, some packets received by your wireless adapter might be damaged, i.e. contain partly or fully invalid data. Check this box if you want the program to capture and display such packets. This option has both drawbacks and advantages. The advantage is that if you are located far away from WLAN stations and/or access points, a high percentage of packets might be broken, and enabling this option would allow you to see more data, even though the data might be partly damaged. However, the drawback is that you would see some packets with invalid data, e.g. you might see IP packets sent to non-existent IP addresses. Also, when this box is checked, the program will try to decrypt those WEP- or WPA-encrypted packets in which the Integrity Check Value is incorrect, but the headers appear to be valid.

Memory Usage


Maximum packets in buffer – sets the maximum number of packets the program stores in the memory and can display in the packet list (2nd tab). For example, if you set this value to 3000, only the last 3000 packets will be stored in the memory and packet list. The higher this value is, the more computer resources the program consumes.

Note that if you want to have access to a high number of packets, it is recommended that you use the auto-saving features (see Logging for more information): it allows you to dump all the packets into a log file on the hard drive.

Maximum Latest IP Connections lines - sets the number of lines the program displays on the Latest IP Connections tab. When the number of connections exceeds the limit, the connections that have been idle for the longest period of time are removed from the list.

Driver Buffer - sets the driver buffer size. This setting affects the program's performance: the more memory allocated for the driver buffer, the fewer packets the program drops. For low traffic WLANs, the buffer size is not critical. For high traffic WLANs, you may want to increase the buffer size if the program drops packets. To check the number of dropped packets, use the File => Performance Data menu command while capturing is on.

Latest IP Connections

Display Logic – allows you to select the Latest IP Connections layout that best suits your needs. Selecting an item from the drop-down list will display the description of the selected logic. In most cases, it is recommended to use the default Smart logic.

Define Local IP Addresses – you should use this tool if you monitor WLAN traffic with many pass-through packets and a mixture of external and internal IP addresses. In such a situation, CommView for WiFi does not "know" which IP addresses should be treated as local and might reverse the IP addresses in the Source and Destination IP columns. This tool allows you to define the local network addresses and subnet masks to make sure the Latest IP Connections window works correctly. This will work only if you use the default Smart logic.


Packet color – sets the colors for displaying different kinds of packets (Normal, Bad CRC, Bad ICV) on the Packets tab.

Colorize Packet Headers – check this box if you want CommView to colorize packet contents. If this box is checked, the program displays the first eight packet layers using different colors.  To change a color, select the type of header for which you want to change the color and click on the colored rectangle.

Formula syntax highlighting – sets the colors for highlighting keywords in formulas in the Advanced Rules window.

Selected byte sequence color – sets the font and background color for displaying the byte sequence that was selected in the decoder tree. For example, when you select the "TCP" tree node, the corresponding part of the packet will be highlighted using these colors.

Management frame color – sets the colors for different types of Management frames. Color is used in the Protocol column of the Packets tab to show the corresponding frame types.


Always fully expand all nodes in the decoder window – check this box if you would like to have all nodes in the decoder windows automatically expanded when you select a new packet in the packet list.

Expand the last nodes – check this box if you would like to have the last node(s) in the decoder window automatically expanded when you select a new packet in the packet list and set the number of nodes to be expanded. By default, the first node is expanded. This setting has no effect if the Always fully expand all nodes in the decoder window box is checked.

Expand level – set the number of levels to expand. This defines the "depth" of tree node expansion.

Decode up to the first level only in ASCII export – this option affects the decoding format used when you export a packet log or individual packet as an ASCII file with decoding. If this box is checked, only the top-level nodes will be saved. For example, if you save a TCP/IP packet when this option is disabled, all Type of service sub-nodes are saved. When this option is enabled, these sub-nodes are not saved. Checking this box makes the output ASCII file less detailed and more compact.

Ignore incorrect checksums when reconstructing TCP sessions – this option affects the way CommView treats malformed TCP/IP packets when reconstructing TCP sessions. By default, this option is on, and packets with incorrect checksums are not discarded in the process of reconstruction. If you turn off this option, packets with incorrect checksums will be discarded and not displayed in the TCP reconstruction window.

Include packet numbers when reconstructing TCP sessions check this box if you'd like the chunks of data shown in the TCP session reconstruction window to be prepended by the packet numbers that correspond to these chunks of data.

Search for the session start when reconstructing TCP sessions if this box is checked, the program will attempt to find the beginning of the TCP session when you reconstruct it. If it is not checked, the session will be reconstructed only from the selected packet, i.e. earlier packets will be discarded.

Decompress GZIP content – check this box if you want CommView to convert GZIP-compressed HTTP content into readable text in the TCP Session Reconstruction windows. GZIP content is decompressed only when the display type in the window is set to "ASCII."

Reconstruct images – check this box if you want CommView to convert binary HTTP streams that represent images into viewable JPG, BMP, PNG, and GIF pictures in the TCP Session Reconstruction windows. Images are shown only when the display type in the window is set to "HTML." Images are never shown within the HTML pages to which they belong, as they are transferred by the server in a separate HTTP session.

Use IPv4-style endings in IPv6 addresses if this box is not checked, IPv6 addresses are shown using hexadecimal symbols only, e.g. fe80::02c0:26ff:fe2d:edb5. If this box is checked, the last 4 bytes of IPv6 addresses are shown using the IPv4-style dotted notation, e.g. fe80::02c0:26ff:

Reassemble fragmented IP packets check this box if you would like the program to reassemble IP packets that are fragmented. By default, fragmented IP packets are displayed as they were received from the wire, in their original form. If this option is turned on, the program will maintain an internal buffer of fragments and will attempt to "glue" them, displaying only the results of successful reassembly.

Display signal level in dBm – check this box if you would like the program to display signal strength in dBm rather than in percentile format. The availability of signal level in dBm depends on the wireless adapter model being used. Please refer to the Understanding Signal Strength chapter for more information.

Default display type – select the display type value from the drop-down list that you want to set as default for the TCP Session Reconstruction function. The available values are ASCII, HEX, HTML, and EBCDIC.


IMPORTANT: The VoIP analysis module is only available to VoIP license users or evaluation version users who selected VoIP evaluation mode.

Disable VoIP analysis – disables capture and analysis of VoIP data. Check this box if you do not plan to work with VoIP and want to minimize the usage of computer resources by the application.

Maximum records in the list – limits the number of displayed and processed VoIP events. When the number of records exceed the specified limit, older records are deleted from the lists.

Ignore orphan RTP streams – when this box is checked, VoIP analyzer will ignore captured RTP data streams that do not have a parent signaling session. Orphan RTP streams typically appear if packet capturing was started in the middle of a call, or the signaling protocol is unknown to the application (i.e. not SIP and not H.323), or the signaling protocol was sent in a non-standard manner (e.g. encrypted or as part of some other session). Such streams are still available for analysis, and sometimes for playback. Please see the Call Playback chapter for more detailed information on playing VoIP calls. If you are not interested in such orphan streams and want to save on computer resources, please disable this option. Note that when orphan streams are not ignored, VoIP analyzer may mistakenly identify data transferred over UDP protocol as RTP streams. Generally, this is not an error, as RTP packets do not have a standard uniform signature, so such "false positives" are ok.

Ignore damaged packets in VoIP analyzer – when this box is checked, wireless packets with bad CRC will be discarded by the VoIP analysis module. This prevents the application from creating "ghost" signaling or media streams that may appear if packets with bad CRC are not dropped.


Geolocation is IP-to-country mapping for IP addresses. When this functionality is enabled, CommView checks the internal database to provide information on the country any IP address belongs to. You can configure the program to show ISO country code, Country name, or Country flag next to any IP address. You can also disable geolocation. For some IP addresses, such as reserved ones (e.g. 192.168.*.* or 10.*.*.*) no information on the country can be provided. In such cases, the country name is not shown, or if you use the Country flag option, a flag with a question mark is displayed.

As IP allocation is constantly changing, it's important that you always have an up-to-date version of CommView. A fresh, up-to-date database is included in every CommView build. A fresh database has 98% accuracy. Without updates, the accuracy percentage falls by approximately 15% every year.


Hide from the taskbar on minimization – check this box if you do not want to see the program's button on the Windows taskbar when you minimize the program. If this box is checked, use the program's system tray icon to restore it after minimization.

Prompt for confirmation when exiting the application – check this box if you would like the program to ask you for a confirmation when you close it.

Auto-scroll packet data window – if this box is checked, the program scrolls the text of the packet data window automatically when you select a new packet from the packets list (but only if the text does not fit into the window). This is useful when you want to see the contents of a long packet without manually scrolling the window.

Auto-scroll packet list to the last packet – if this box is checked, the program automatically scrolls the packet list in the Packets tab down to the last received packet.

Auto-sort new records in Latest IP Connections – if this box is checked, the program auto-sorts new records on the Latest IP Connections tab based on the user-defined sorting criterion  (e.g. ascending order of remote IP addresses).

Smart CPU utilization control – if this box is checked, the program tries to decrease CPU utilization when capturing high-volume traffic by decreasing the quality and frequency of the screen updates.

Run on Windows startup - if this box is checked, the program is launched automatically every time you start Windows. Under Windows Vista and higher, this box is disabled if UAC is enabled. This is a limitation of Windows Vista and newer Windows versions that prevents applications with elevated rights from loading on startup. If this feature is important, disable UAC.

Run minimized – if this box is checked, the program is launched minimized and the main window is not displayed until you click on the tray icon or taskbar button.

Show gridlines – makes the program draw gridlines in all packet, channel, and AP lists.

Enable automatic application updates – check this box to let the program connect to the TamoSoft Web site periodically and check for updates. Use the Interval between checks box to configure how often the checks should be made.


This tab is used by 3rd party plug-ins for performing configuration tasks. Please see Custom Decoding for more information.