This tool allows you to view the TCP conversation between two
hosts. To reconstruct a TCP session, you should first select
a TCP packet on the
Packets
tab. Depending on the settings (the
Search for the session start when reconstructing TCP
sessions
box in
Settings
=>
Options => Decoding),
the session will be reconstructed from the selected packet that may
be in the middle of the "conversation" or from the session start.
If you want to reconstruct the entire session, it is recommended
that you select the first packet in the session; otherwise, the
reconstruction may start in the middle of the "conversation." After
you locate and select the packet, right-click on it and
select
Reconstruct TCP Session
from the pop-up menu as shown below:
Reconstructing sessions works best for text-based protocols, such
as POP3, Telnet, or HTTP. Of course, you can also reconstruct a
download of a large zipped file, but it can take CommView a long
time to reconstruct several megabytes of data, and the obtained
information would be useless in most of the cases. The
Contents
tab displays the actual session data, while the
Session Analysis
tab graphically displays the flow of the reconstructed TCP
session.
A sample HTTP session that contains HTML data displayed in ASCII
and HTML modes is shown below:
In HTML display mode, HTML
pages typically do not include
inline graphics, because in HTTP protocol images are transferred
separately from HTML data. To view the images, it is usually
necessary to navigate to the next TCP session. A sample HTTP
session that contains image data displayed in HTML mode is shown
below:
By default, CommView attempts to decompress GZIP'd web content and
reconstruct images from binary streams. If you want to turn off
this functionality, use the
Decoding
tab of the program's
Options
dialog.
You can filter out the data that came from one of the directions by
unchecking one of the check boxes on the bottom pane. Incoming and
outgoing data are marked with different colors for your
convenience. If you want to change one of the colors, click
Settings
=>Colors
and pick a different color. You can enable or disable word wrapping
using the
Word Wrap
item in the
Settings
menu.
The
Display type
drop-down list allows you to view data in the
ASCII
(plain-text data),
HEX
(hexadecimal data),
HTML
(web pages and images),
EBCDIC
(IBM mainframes' data encoding), and
UTF-8
(Unicode data) formats. Please note that viewing data as HTML does
not necessarily produce exactly the same results as the one you can
see in the web browser (e.g. you will not be able to see inline
graphics); however, it should give you a good idea of what the
original page looked like.
You can choose the default display type for TCP Session
Reconstruction window in the
Decoding
tab of the program's
Options
dialog.
The
Navigation
buttons allow you to search the buffer for the next or previous TCP
session. The first forward button (>>) will search for the
next session between those two hosts that were involved in the
first reconstructed session. The second forward button
(>>>) will search for the next session between any two
hosts. If you have multiple TCP sessions between the two hosts in
the buffer and you'd like to see them all one by one, it is
recommended to start the reconstruction from the first session, as
the back button (<<)
cannot navigate beyond the TCP session that was reconstructed
first.
The obtained data can be saved as binary data, HTML, text, or rich
text file by clicking
File
=>Save
As…
. When saving in text format, the resulting file is a Unicode
UTF-16 file. When saving in
HTML format, the encoding of the resulting file depends on the
currently selected Display
type.
If HTML is currently selected, the resulting file is an ANSI text
file; for all other display types, the resulting file is a Unicode
UTF-16 file. Note that if you are saving
an HTTP session with images, the images in the saved HTML file are
stored in the temporary location on your hard drive, so if you want
to preserve them, open the saved file in your browser and re-save
the file in a format that includes images, such as MHT, before
closing CommView for WiFi.
You can search for a string in the session by clicking
Edit => Find…
.
Session Analysis
The Session Analysis tab of the TCP Session window graphically
displays the reconstructed TCP session. You can see the session
data flow, errors, delays, and retransmissions of lost data.
The following data is displayed for every session packet:
·TCP
flags.
·Absolute
and relative SEQ and ACK values.
·Packet
arrival time.
·Delta
time between the current and previous packet.
·Packet
number in the reconstructed session.
If a packet contains errors, the nature of the error is explained.
It appears as a text description along the right edge of the graph.
When you move the mouse over a packet, its contents are displayed
in a hint window if the packet contains any data. Note that
the
Display type
field affects the way the data is decoded in the hint window. A
sample session analysis window is shown below:
The right pane shows some basic statistics for the given
session:
Connection Time -
the time it took to establish the TCP connection. In other words,
it iss the three-way TCP handshake time (SYN => SYN ACK =>
ACK).
Server Response Time -
the time elapsed between the initial client request and the
server's first data response.
Data Transfer Time -
the time between the server's first and final data responses (0 if
there was only one server response).
You can save the graphic layout of the reconstructed TCP session as
a BMP, GIF, or PNG file by right clicking on the layout and
selecting the
Save Image As…
menu item of the context menu. Sessions with a large number of
packets will be split into multiple files.
|