PIAFCTM FAQ

Frequently Asked Questions

• How do I use this program?
• What is a packet?
• How do I print the list of packets?
• What is HTTP?
• What is the ACK time-out for?
• What does the Match case for Find and Filters do?
• How do I set up the packet filters to capture only the packets between my computer and another?
• Why does File Mode consistently state Error writing the file?
• What does this program use to capture packets?
• Are there any known bugs and/or issues?
• Why does the program installer say it's corrupt after I choose my language?
• How do I make it work correctly on Windows Vista/7?

Additional support resources

To find additional questions and answers, and/or to ask your own questions, see the PIAFCTM Support Forum.

Answers

How do I use this program?

Choosing the correct Mode:

Packet Mode:

Use this mode if you wish to capture individual data packets and view them in raw format (Text, Hex, or Dec).

File Mode:

Use this mode if you wish to capture pictures, web-pages, and things of that sort.

Choosing the correct interface IP address:

Each IP address listed represents an interface on the current system, not an IP address of a remote system; Try choosing the IP address of the network device you wish to capture from (the one you wish to use to capture with) and see what the program captures from it. If you only see one IP address listed, this choice should not be difficult.

For Packet Mode:

1. Choose Network interface from the Settings menu, then choose the appropriate interface in which to listen.
2. Press the Start button located on the main dialog.
3. Wait for one or more packets to arrive, during this time you may minimize the window as you will be notified in the event of a packet's arrival by way of PC-Speaker sound (If available), and by way of the program's text in the taskbar blinking.
4. When one or more packets have arrived, they will appear in the list located on the main dialog. You may then click one of these items to view its contents.

For File Mode:

1. Choose Network interface from the Settings menu, then choose the appropriate interface in which to listen.
2. Where it says Directory to store constructed files enter the directory you would like the constructed files to be placed in.
3. Press the Start button located on the main dialog.
4. When TCP traffic is detected, the Files processing under Current status will show the number of file streams currently being followed.
5. The Files written under Current status shows the number of files that have been written since the Start button has been pressed. Once one or more files have been written, you may go to the directory chosen with Windows Explorer or My Computer to view the files that have been written, also you may open these files directly with your web-browser.

What is a packet?

The way data is transmitted on a network is in the form of what are called packets, a packet is data. The first part of a packet is what is known as the packet header, this contains information such as where the packet is intended to go, where it came from, and much more. The second part of a packet is what is known as the packet data, this contains the extra information that is to be sent and is usually essential to the workings of what the packet is used for. A common packet is the ping packet (ICMP), this packet is sent from one computer to one or more other computers on a network, the computers that are at the address(es) specified should return a 'ping reply packet' to inform the sender of their connectivity to the network.

There are many different kinds of packets, all of which have their own properties and uses, some common types of packets are: TCP, UDP, ICMP, and ARP.

Of these types, TCP is the most used on the internet. TCP is used for things like HTTP (The protocol used for viewing web pages), FTP (A common protocol used to transfer files). and POP (The protocol used to check standard e-mail)

How do I print the list of packets?

1. Save the list by choosing File->Save.
2. Open the list in a text editor (Notepad, Word, Wordpad, etc.).
3. Choose File->Print in the text editor.

What is HTTP?

HTTP (Hyper-Text Tranfer Protocol) is the protocol over which the images and documents on web-pages are transferred.

What is the ACK time-out for?

The ACK time-out determines how long the program waits after receiving a packet from a file stream to determine that stream to be a complete file.

Entering a number too small will cause incomplete files to be written to the disk.

Under busy network conditions, entering a number too large may cause the program's max allowable streams (100,000) to be reached, resulting in the missing of some files that are being transferred. Entering a number too large also further delays the writing of files to the disk.

What does Match case for Find and Filters do?

This setting allows you to choose whether or not you wish for the packet filter text(s), and the Find text to be case sensitive (UPPER CASE vs. lower case).

How do I set up the packet filters to capture only the packets between my computer and another?

To set up the filters so as though the program will only capture packets going to and coming from a certain IP address, add your IP address along with the remote IP address to both the Source IP(s) must be: and Dest. IP(s) must be: lists.

For example, if your IP address were 10.0.0.1 and the remote IP address were 200.200.200.50, you would need to have the filters setup as follows:

Source IP(s) must be: 10.0.0.1 + 200.200.200.50

Dest. IP(s) must be: 10.0.0.1 + 200.200.200.50

Note, the order of the IP's in each list will NOT have an effect on the filtration.

Why does File Mode consistently state Error writing the file?

There are a several reasons why this error message could be stated while running this software. Below are reasons which may be common:

• The path you have entered in the box titled Directory to store constructed files: does not include a suffixion of \. For example, C:\Temp\ will work while C:\Temp will not (granted you have a Temp directory on drive C and no other error condition is occuring).
• The directory specified by the path does not exist. To verify the path specified (including the directory), click the Windows(c) Start button then click Run... then enter the exact same path into the box titled Open:, click OK. If the directory opens up successfully in Windows Explorer you have verified the path. Once again, be sure this is character for character the same as entered in PIAFCTM.
• The drive specified by the path is using the NTFS file system and the user account which the program is running on does not have Write / Create access to the specified directory.
• The drive specified by the path does not have sufficient free space to contain the constructed file without upsetting the operating system.
• The drive and/or directory specified does not have Write / Create access due to directory attributes and/or the drive containing the directory specified is not a writing device (a CDROM for example).

What does this program use to capture packets?

Version 1.5.2 uses a thing called Raw Sockets to capture packets, while higher versions (2.x and higher) can use Raw Sockets or the NetworkActiv PIAFCTM Packet Driver.

Are there any known bugs and/or issues?

Yes, there are several known bugs and issues:

• The program only captures one direction of the communications. This is a rather common issue with dial-up modems. To resolve this issue with network adapters, simply obtain NetworkActiv PIAFCTM 2.0 and choose to use the NetworkActiv PIAFCTM Packet Driver instead of Raw Sockets.
• When the Start button is pressed (and sometimes when the program is first started), the program states Unable to listen on the interface. The most common cause is probably running this program on a version of Windows(c) that does not support it such as 95, 98, or ME. The next most common cause is probably running the program while logged on with a non-administrative user account. The next most common cause is probably running the program on a system that has Raw Sockets disabled; Certain programs available explicitely disable Raw Sockets; To solve this problem, re-enable Raw Sockets (you may be able to use the same program for this task). For information on compatibility of this software, see Compatibility.
• When a TCP connection is established, the three-way-handshake packets are slightly out of order. This is a known issue that occurs on some systems.
• With some rare web-servers that do not correctly support HTTP 1.1 but claim to, the files are not saved. This incompatibility has been resolved in versions of PIAFCTM later than 1.5.2.
• File Mode does not work, it always states Error writing the file. See the help topic located two sections (topics) above.
• The search feature does not work. This feature will not work when searching unicode text, this is not a bug, unicode searching is simply not implemented.
• This program does not get all of the traffic, it only captures packets involving the computer that it is running on. This is due to a limitation of the method used to capture packets. In some situations (and with some hardware) this problem is not present.
• When the listening is started, all TCP traffic on the system halts. This is a very rare issue that only occurs on some systems.

If you find a bug or issue that you believe is missing from this documentation, please notify NetworkActiv.

Why does the program installer say it's corrupt after I choose my language?

There are a few different reasons for receiving this message, common reasons are:

• You have a virus on your system. When a computer has a virus, it (the virus) will commonly copy its executable code into any new executable files (such as this installer), thereby resulting in the program executable being considered corrupt by the corruption testing system.
• The installer executable is corrupt. This may occur during download or it can be caused by hardware malfunction, the most common hardware to cause data corruption is the RAM. This problem could also be caused by a software malfunction.
• You have a program running (other than a virus) that is causing this problem. One program known to cause this problem is Macro Express; If you are currently using Macro Express, simply terminate (exit) Macro Express and then run the NetworkActiv program installer. After the installation completes, you may restart Macro Express.

If you find other programs that are not mentioned here that cause this software to say it's corrupt, please let NetworkActiv know about it.

How do I make it work correctly on Windows Vista/7?

Introduction:

On some systems, particularly with Vista/7 (although sometimes older versions of Windows as well), only one direction of the network traffic is captured. When the only direction captured is the outbound packets (which is usually the case), it can lead File Mode to indicate that files are "Processing" but then nothing is saved, even though the filters haven't blocked the files.

Solution:

Though these procedures have not been reported successful as of the point this was written, one or both might work for someone out there. Both procedures involve the installation and use of the NetworkActiv PIAFCTM Packet Driver.

Procedure One

Make a shortcut and have PIAFCTM do it for you [This procedure has been reported to have caused the Raw Sockets mode to begin to capture inbound packets rather than nothing]

1. Create a shortcut to the downloaded executable file. This can usually be done by a right-click on the exe file and a selection of the Create Shortcut option.
2. Right-click the shortcut just created in Step 1 and select Properties.
3. On the Properties dialog, select the Compatibility tab.
4. Where it states Compatibility mode, enable the Run this program in compatibility mode for: option and choose Windows 2000 in the drop-down box just below that check-box, then press the OK button.
5. Run the program via the shortcut just created, and in the installation, select the Install NetworkActiv PIAFCTM as a Windows Service option. This may present a box that warns you of possible negative outcomes, and this box should be read and accepted (via the Yes option) only if you accept the possible risk mentioned on it.
6. After the installation, run PIAFCTM and select the mode.
7. Go to the Settings menu and select the Network interface option. The interfaces with a listed type of Device are those provided by the NetworkActiv PIAFCTM Packet Driver. Select the appropriate one for the network adapter you want PIAFCTM to listen on, and then press the OK button. If no such Device options are available on this list in PIAFCTM, then the driver must have not installed successfully. This could be for various reasons, such as incompatibility of the driver with the version of Windows you have. It's possible that a restart of Windows could help, but unlikely.

Procedure Two

Install the driver manually.

1. Download the NetworkActiv PIAFCTM Packet Driver and possibly verify it via its PGP Signature.
2. Read the PIAFCTM_Readme.txt file contained in the downloaded archive.