CommView® Tutorial
    Packet Sniffing Is Fun!

Packets, Packets, Packets …

Looking at the Captured Packets

Now that we've learned about the first tab of the CommView main window, let's move to the second one, Packets. This three-pane tab allows you to see every single packet that passes through your network adapter in any direction. The packet list shows packet summaries and lets you browse the packet list, the data window displays the packet contents, and the decoder tree does just what the name suggests - it decodes packet headers to display every detail. These panes can be aligned in three different ways using this little tool bar:

Packet decoder tool bar

We didn't include the decoder tree in the illustrations below to make them more compact, but you can always play with the decoder using your copy of CommView.

The data being sent across a network is "packetized," i.e. broken down into multiple packets that are each sent individually across the network and then reassembled on the other side. In our example, loading the main page of the Wikipedia Web site involved one packet from our PC to the Web server (the browser had to request the page), and several packets from the Web server to our PC (the Web server had to send the requested page, but since the Web page is about 10,000 bytes in size and the typical packet size is 1,500 bytes, it had to be broken down into about 7 packets).

Now, let's select one of the HTTP packets:

HTTP packet

Depending on which packet you have selected, you may be looking at the browser page request or the server reply that contains the Web page source. The picture above shows the latter. If you know what HTML is, you'll surely recognize the HTML code of a typical Web page!

What you see in the data window is the standard hexadecimal representation of the packet. The first column shows the offset of each line, the second column shows the packet contents in hexadecimal representation, and the third one shows the ASCII (plain text) equivalent. Why do we need both hexadecimal and ASCII data? Because sometimes, one is easier to read than the other. Congratulations, you've just looked into your first network packet.

We'll talk more about the more things you can do with this information, but for now let's try something cool. Imagine…it's Sunday night, and you've just downloaded and installed a new e-mail program. Surprisingly enough, it's better than the one you're currently using! So you decide to start using it immediately. You import your database and settings from the old program, but…you can't import your e-mail password. And you forgot it, of course (who can remember that JKH667RtfS word that you chose a year ago and never had to type since then, right?). And your ISP's technical support doesn't work on Sunday night.

Here is a work-around. Check your e-mail box using your old e-mail program and capture that session with CommView. Now, browse through the POP3 packets:

POP3 user name

That was the user name …

POP3 server response

… and that's the mail server requesting the password …

POP3 password

… and here is the password we were looking for!

By the way, if you need to look at the packets related to a particular connection listed on the Latest IP Connections tab, you can do so by simply double-clicking on the line representing that connection.

Previous chapter Next chapter

Copyright © 1998-2016 TamoSoft. All Rights Reserved. No part of this site can be reproduced or duplicated in any form without the express written permission of TamoSoft. CommView is a registered trademark of TamoSoft. All other product names and trademarks are the property of their respective holders.