Systems
Software
Technology, Inc.
Tools for Networking, Internet and eCommerce
Buy two or more TracePlus products and save a bundle!
TracePlus Enterprise Bundle.... from $569.95
TracePlus Internet Bundle....from $429.95
TracePlus Pro Bundle....from $359.95
TracePlus Web Development Bundle....from $259.95
TracePlus Software Development Bundle....$289.95
This FAQ contains the most asked questions about each of our products. We will update this FAQ on a regular basis, so keep it bookmarked for future use.
If you have a technique or procedure which you use with any of the TracePlus products that would be beneficial for other users to know about, we invite you to submit it to .
You must be a registered user of any TracePlus product in order to contribute to the FAQ.
We reserve the right to edit your contribution for appropriateness, however if your contribution is accepted we will give credit to you personally for authoring the entry.
What 64 bit versions of Windows are supported by TracePlus®?
What 32 bit versions of Windows are supported by TracePlus®?
What Windows 2003 Server Service Packs are compatible with TracePlus®?
What Windows XP Service Packs are compatible with TracePlus®?
What Windows 2000 Service Packs are compatible with TracePlus®?
What Windows NT 4.0 Service Packs are compatible with TracePlus®?
Using TracePlus® with Windows XP SP2 or Windows 2003 Server SP1
(TracePlus/Web Detective (all versions), TracePlus/Win32, TracePlus/Winsock)
TracePlus® cannot intercept applications that I launch from the Start menu or the Desktop
I can't locate the .EXE file for an application I want to debug
Can TracePlus debug applications running as a limited user?
Debugging C# and Managed C++ applications
Debugging Java applications (.CLASS and .JAR)
Debugging HTML applications (.HTA)
Debugging VBScript applications (.VBS)
Debugging Control Panel applets
Debugging multiple applications simultaneously
Debugging applications written in interpreted languages such as Visual Basic or Visual FoxPro
Debugging Windows NT/2000/XP/2003 services
I cannot debug RealPlayer or other application that has an icon in the System Tray
Notes on debugging Netscape Navigator 7.x or 8.x
Debugging a Win32 application that is already running
TracePlus® compatibility with SoftICE (Windows 98/NT 4.x/XP)
Is TracePlus® compatible with Internet Explorer Toolbars and Browser Helper Objects (BHOs)?
TracePlus®/Ethernet is saying "Could not open the requested adapter"
When I try to choose a network adapter, the list does not show any adapters
Can I select a different adapter while TracePlus/Ethernet is running?
Our LAN is connected with a hub, but I only see traffic from the local PC
Using a packet analyzer when you are connected to a network switch
Configuring Cisco managed switches for use with TracePlus/Ethernet
What managed switches have switch monitoring or port mirroring features?
Capturing MSMQ packets using TracePlus/Ethernet
Capturing DCOM packets using TracePlus/Ethernet
Can I capture and view HTTPS (SSL) traffic with TracePlus/Ethernet? Monitoring Streaming Media usage with TracePlus/Ethernet
Monitoring a remote LAN using TracePlus/Ethernet Why do outgoing packets from my PC have a bad checksum?
Logging IP addresses and calculating bandwidth with TracePlus/Ethernet Discovering the top protocols on your network
Discovering the top conversations on your network Can I see traffic from my wireless adapter?
Can I see traffic occurring on the local loopback address 127.0.0.1?
Can I view socket communications within Java applets?
Debugging Web applications that use encrypted communications via SSL
Viewing SSL traffic on non-standard SSL port numbers
How do I view ODBC bound parameters in TracePlus®/Win32?
Capturing SQL Statements using ADO.NET with TracePlus
Capturing SQL Statements using ActiveX Data Objects with TracePlus
How can I capture all Win32 API functions with TracePlus®/Win32?
My Winsock application only works when I run it from TracePlus®
I have Norton Cleansweep installed, and I am having problems capturing applications with TracePlus®
I cannot open the .PDF manual for my TracePlus® product with Adobe Acrobat
All TracePlus applications (as of February 1, 2007) are compatible with 32 bit versions of Windows Vista Home/Business/Ultimate Editions..
The ability of TracePlus to intercept applications launched from the Start menu or the Desktop will not be available in Windows Vista. The implementation of his feature uses functionality available in previous versions of Windows that was removed from Vista by Microsoft for security reasons.
TracePlus/Ethernet is compatible with Windows XP x64, Windows 2003 Server x64, and 64 bit versions of Windows Vista. It makes use of WOW64 (32 bit) using 64 bit drivers.
The ability of TracePlus to intercept applications launched from the Start menu or the Desktop will not be available on 64 bit Windows platforms. The implementation of his feature uses functionality available in previous versions of Windows that was removed by Microsoft for security reasons.
| Product | Conversion to 64 bit |
| TracePlus/Ethernet | Will run on x64 as of v5.46.000 (32 bit application with 64 bit drivers) |
| TracePlus/Web Detective (Standard Edition) | 4th quarter of 2007 |
| TracePlus/Web Detective (eBusiness Edition) | 4th quarter of 2007 |
| TracePlus/Win32 | Not planned |
| TracePlus/Winsock | Not planned |
All TracePlus products support the following versions of Windows:
| Windows Version | Release Date |
| Windows 98 SE | June 25, 1998 (no longer supported) |
| Windows Millennium | September 14, 2000 (no longer supported) |
| Windows NT 4.x (Workstation and Server) | July 29, 1996 |
| Windows 2000 (Workstation and Server) | February 17, 2000 |
| Windows XP Home and Professional | October 25, 2001 |
| Windows 2003 Server | April 24, 2003 |
| Windows Vista Home/Business/Ultimate Editions | February 1, 2007 |
All TracePlus applications are compatible with Windows 2003 Server running Service Pack 1 (SP1) or Service Pack 2 (SP2). TracePlus supports Windows 2003 Server with no service pack as well.
All TracePlus applications are compatible with Windows XP Home or Professional running Service Pack 1 (SP1) or Service Pack 2 (SP2). TracePlus supports Windows XP with no service pack as well.
All TracePlus applications are compatible with Windows 2000 Workstation or Server running Service Pack 1 (SP1), Service Pack 2 (SP2, Service Pack 3 (SP3), or Service Pack 4 (SP4). TracePlus supports Windows 2000 with no service pack as well.
All TracePlus applications are compatible with Windows NT 4.0 Workstation or Server running either Service Pack 5 or Service Pack 6a. We do not support any other Service Packs. TracePlus does not support Windows NT 4.0 with no service pack installed.
With the release of Windows XP SP2 and Windows 2003 Server SP1, Microsoft introduced a feature called Data Execution Prevention (also known as DEP). Data Execution Prevention is enabled by default on PCs with AMD Athlon 64, 64 FX, Turin, and Opteron Family processors, as well as newer Intel Xeon, Pentium 4, Pentium M or "Centrino" processors, and Celeron-D processors.
Intel Processors with XD support:
AMD processors with NX support:
* Except AMD64 based on Clawhammer-512 core rev. C0
All TracePlus products released before 10/27/2005 are affected by DEP, and will exhibit one of two symptoms:
The following versions of TracePlus are compatible with the Data Execution Prevention feature:
| Product | Version | Date Released |
| TracePlus/Ethernet | 3.53.000 | 10/27/2005 |
| TracePlus/Web Detective (eBusiness Edition) | 2.63.000 | 10/27/2005 |
| TracePlus/Web Detective (Standard Edition) | 4.15.000 | 10/27/2005 |
| TracePlus/Win32 | 4.12.000 | 10/27/2005 |
| TracePlus/Winsock | 6.61.000 | 10/27/2005 |
If you have an earlier version of a TracePlus product and have a PC with the one of the above processors, you can update your software to the most recent version, or use the following procedure to disable Data Execution Prevention for each of your TracePlus products.
You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.
– or –
All TracePlus applications are compatible with applications using .NET Framework 1.0, 1.1, 1.1 SP1, and 2.0.
If you have started a trace, and the application(s) you launch
from the Start Menu or the Windows Desktop are not being intercepted
by TracePlus, there are two possibilities:
1. If you installed one or more Security Updates after you updated
our product, then it could be that one of those Security Updates is
interfering with our product. Because the feature you are having
trouble with can be construed by Microsoft as "virus" activity,
sometimes a Security Update will "disable" that feature. The only
solution (if this is the case) is to remove the Security Update.
2. The patch updater did not update the product correctly. In this
case, you need to uninstall the product, then install the original
version you received from us, then patch the original version from
our site.
The ability to intercept applications launched from the Start menu or the Desktop is not available in Windows Vista. The implementation of his feature uses functionality available in previous versions of Windows that was removed from Vista by Microsoft due to security issues.
To find the executable name of an application you want to capture, try the following procedure (this example is for Internet Explorer):
In general, this is the procedure for locating where the .EXE file is for any application that you have installed in your Start Menu.
The following versions of TracePlus are installed under the "All Users" profile and have been updated to debug applications running as a limited user:
| Product | Version | Date Released |
| TracePlus/Web Detective (eBusiness Edition) | 4.32.000 | 2/13/2007 |
| TracePlus/Web Detective (Standard Edition) | 5.32.000 | 2/13/2007 |
| TracePlus/Win32 | 5.32.000 | 2/13/2007 |
| TracePlus/Winsock | 8.42.000 | 2/13/2007 |
Earlier versions of TracePlus products do not support this feature.
TracePlus has native support for Win32 executables written in C# and Managed C++. API calls from both managed and unmanaged code can be captured. There are two different methods for capturing a Win32 executable, both of which can be used repeatedly for testing purposes:
On the Launch Tab of the Capture Options dialog, you can specify an application, command line, and working directory directly by checking the option "Launch the specified application below".
Push Start and TracePlus will launch your executable file.
On the Launch Tab of the Capture Options dialog box, make sure that the option "Capture applications started from the Windows Desktop" is selected, then start a capture.
You can start your application from Windows in one of three ways:
When you double-click on the executable file, TracePlus will intercept it. Press Ok, and TracePlus will launch your executable file.
You can debug Java applications using TracePlus by intercepting the Java Runtime Environment, or JRE. The filename of the JRE can be either java.exe or javaw.exe, and is normally located underneath the "Program Files\Java" directory.
There are two different methods for capturing a Java application, both of which can be used repeatedly for testing purpoes:
On the Launch Tab of the Capture Options dialog, you can specify an application, command line, and working directory directly by checking the option "Launch the specified application below".
Push Start and TracePlus will launch your Java application using the JRE.
Another way to create a test scenario is to create a shortcut on the Windows Desktop. Right-click on the Windows Desktop, select New, then Shortcut.
On the Launch Tab of the Capture Options dialog box, make sure that the option "Capture applications started from the Windows Desktop" is selected, then start a capture. When you double-click on the shortcut, TracePlus will intercept it. Press Ok, and TracePlus will launch your Java application using the JRE.
You can debug HTML applications (.HTA) with TracePlus by intercepting the Microsoft HTML Application Host. The filename of this application is mshta.exe, and is normally located underneath the "WINNT\System32" or "Windows\System32" directory.
There are two different methods for capturing a HTML application, both of which can be used repeatedly for testing purposes:
On the Launch Tab of the Capture Options dialog, you can specify an application, command line, and working directory directly by checking the option "Launch the specified application below".
Push Start and TracePlus will launch your HTML application using the host application (mshta.exe).
Another way to create a test scenario is to create a shortcut on the Windows Desktop. Right-click on the Windows Desktop, select New, then Shortcut.
On the Launch Tab of the Capture Options dialog box, make sure that the option "Capture applications started from the Windows Desktop" is selected, then start a capture. When you double-click on the shortcut, TracePlus will intercept it. Press Ok, and TracePlus will launch your HTML application using the host application (mshta.exe).
You can debug VBscript applications (.VBS) with TracePlus by intercepting the Microsoft Windows Based Script Host. The filename of this application is wscript.exe, and is normally located underneath the "WINNT\System32" or "Windows\System32" directory.
There are two different methods for capturing a VBScript application, both of which can be used repeatedly for testing purposes:
On the Launch Tab of the Capture Options dialog, you can specify an application, command line, and working directory directly by checking the option "Launch the specified application below".
Push Start and TracePlus will launch your VBScript application using the host application (wscript.exe).
Another way to create a test scenario is to create a shortcut on the Windows Desktop. Right-click on the Windows Desktop, select New, then Shortcut.
On the Launch Tab of the Capture Options dialog box, make sure that the option "Capture applications started from the Windows Desktop" is selected, then start a capture. When you double-click on the shortcut, TracePlus will intercept it. Press Ok, and TracePlus will launch your VBScript application using the host application (wscript.exe).
You can debug Perl scripts with TracePlus by intercepting the Perl runtime environment. Normally, the filename of this application is perl.exe. The following example uses the ActivePerl product (www.activestate.com), and is commonly located inside the "\Perl\bin" directory.
There are two different methods for capturing a Perl script, both of which can be used repeatedly for testing purposes:
On the Launch Tab of the Capture Options dialog, you can specify an application, command line, and working directory directly by checking the option "Launch the specified application below".
Push Start and TracePlus will launch your Perl script using the host application (perl.exe).
Another way to create a test scenario is to create a shortcut on the Windows Desktop. Right-click on the Windows Desktop, select New, then Shortcut.
On the Launch Tab of the Capture Options dialog box, make sure that the option "Capture applications started from the Windows Desktop" is selected, then start a capture. When you double-click on the shortcut, TracePlus will intercept it. Press Ok, and TracePlus will launch your Perl script using the host application (perl.exe).
You can debug Control Panel applets with TracePlus by intercepting the application rundll32.exe, which is normally located underneath the "WINNT\System32" or "Windows\System32" directory.
There are two different methods for capturing a Control Panel applet, both of which can be used repeatedly for testing purposes:
On the Launch Tab of the Capture Options dialog, you can specify an application, command line, and working directory directly by checking the option "Launch the specified application below".
Push Start and TracePlus will launch the Control Panel applet application using the rundll32.exe application.
Another way to create a test scenario is to create a shortcut on the Windows Desktop. Right-click on the Windows Desktop, select New, then Shortcut.
On the Launch Tab of the Capture Options dialog box, make sure that the option "Capture applications started from the Windows Desktop" is selected, then start a capture. When you double-click on the shortcut, TracePlus will intercept it. Press Ok, and TracePlus will launch your Control Panel applet using rundll32.exe.
All TracePlus products have native support for debugging multiple applications simultaneously. There are two different methods for doing this:
When two or more applications are captured, it is a good idea to use the sort feature in each of the Views to sort the information by the Process column. This will enable you to view the captured information in sequential order by process.
To use TracePlus to debug applications written in interpreted languages, you must launch the associated development environment from TracePlus. The following example is for Visual Basic applications in DESIGN MODE:
To capture an NT/2000/XP/2003 service using any TracePlus product (except TracePlus/Ethernet), you need to locate the key in the registry that specifies the service .EXE file. and place the name and path of the TracePlus .EXE file ahead of the service .EXE filename which is defined by the ImagePath value, i.e:
"C:\Program Files\tpwins.exe" "c:\My Service\MyService.exe" [rest of command line]
Paths with embedded spaces must be enclosed in double quotes, like the above example. |
Additionally, you need to select the option "Interacts with desktop" in the Service dialog box (accessed by pressing the Startup button). This makes the TracePlus application visible on the Windows Desktop.
Use the Service Start button in the Service Control Panel to launch TracePlus. When TracePlus launches, it will automatically start the service and starting capturing. Note that stopping the service manually will cause TracePlus to exit.
While you are running TracePlus as a service, you cannot launch other applications or capture applications started from the Windows Desktop. This is by design, and consistent with the concept of how services operate within Windows.
In newer versions of TracePlus, placing the /PROMPT directive before the service filename will cause the Capture Options dialog box will appear before the service is started. The ImagePath value should appear as follows:
"C:\Program Files\tpwins.exe" /PROMPT "c:\My Service\MyService.exe" [rest of command line]
This enables you to modify the various filter settings before the service starts. The caveat to using this feature is that Windows expects the Service to communicate with the Service Control Manager (SCM) in a specific amount of time.
It is important that you make adjustments in the Capture Options dialog box and push the Start button within 30 seconds, otherwise Windows will display an error message stating that it cannot communicate with the service. If that happens, the process will be terminated and TracePlus will also be terminated.
In order to debug RealPlayer or other application which has an icon in the System Tray, you need to terminate the helper application. This is necessary, because often the helper application often spawns the actual application you want to trace.
For example, here is a sample System Tray:
The
last icon in this sample is RealAudio Player. To close the helper
application associated with the icon, right click on the icon
itself. A menu will appear.
For RealPlayer, select Close SmartCenter.
Now launch TracePlus, and follow this procedure:
The technical explanation for this issue is that the application is running BEFORE TracePlus has been launched. Remember, TracePlus can only trace applications which launch AFTER the trace has started. This includes all applications appearing in the System Tray when Windows is first started. |
Version 7.x of Netscape Navigator introduced a "Quick Launch" feature, which loads selected parts of the Netscape browser into memory when Windows starts for the first time. This feature is similar to a one installed by Microsoft Office.
The Quick Launch feature is not compatible with TracePlus because TracePlus cannot trace an application that is already running.
 |
In order for TracePlus to work with Netscape 7.x, the Quick Launch feature must be disabled. When installing Netscape 7.0 for the first time, Setup will ask you whether you want to use the Quick Launch option. You can disable this feature by unchecking the checkbox. |
 |
You can also disable Quick
Launch by right-clicking on the Netscape icon in the System
tray, then selecting Disable Quick Launch. You will need to reboot in order for the Quick Launch feature to be removed from memory. |
Version 6.x of Opera utilizes a "executable packing" tool which loads a altered executable image into memory. As discussed elsewhere in this document, TracePlus (except for TracePlus/Ethernet) is not compatible with executables that packed with such a tool. The last version of Opera we are aware of that does not have an altered executable image is version 5.12.
Please contact the vendor for a version that does not use the "executable packing" tool.
| NOTE: This information applies to the following products: TracePlus/Web Detective (Standard Edition), TracePlus/Web Detective (eBusiness Edition), and TracePlus/Winsock. |
There are two possible causes:
1. Some (very few) spyware products are aware of tools like TracePlus, and try to defend against having their Internet connections monitored by TracePlus.
2. Many spyware products are poorly written and function in an unstable manner when running inside a debugger such as TracePlus. Examples of well written commercial Browser Helper Objects which have been tested with TracePlus include:
Alexa (Amazon) Toolbar http://www.alexa.com Ask Jeeves Toolbar http://sp.ask.com/docs/toolbar eBay Toolbar http://pages.ebay.com/ebay_toolbar Google Toolbar http://toolbar.google.com Yahoo! Companion Toolbar http://companion.yahoo.com
Note that the minimum browser requirement for TracePlus to support Browser Helper Objects is Internet Explorer version 5.5 or newer.
In either case, it is best to remove all spyware from your PC, The following URLs are a good starting point in finding tools that remove spyware products:
Spy-Bot Search & Destroy http://www.safer-networking.org Ad-aware http://www.lavasoftusa.com PestPatrol http://www.safersite.org HijackThis http://www.tomcoyote.com/hjt Spyware Eliminator http://www.aluriasoftware.com DoxDesk.com http://www.doxdesk.com/parasite SpywareInfo http://www.spywareinfo.com Spychecker.com http://www.spychecker.com
All TracePlus products generally support well written Internet Explorer Toolbars and Browser Helper Objects if you are running Internet Explorer version 5.5 or newer.
Internet Explorer Toolbars such as Yahoo and Google do not work with TracePlus if you are running Internet Explorer version 5.0 (all service packs) or lower.
The following Browser Helper Objects have been tested and appear to work with TracePlus if you are running Internet Explorer 5.5 and higher:
| Browser Helper Object | Company Website |
| Adobe Acrobat Explorer Bar | http://www.adobe.com/ |
| Adobe Acrobat Reader | |
| Adobe Acrobat Toolbar | |
| Alexa (Amazon) Toolbar | http://www.alexa.com |
| Ask Jeeves Toolbar | http://sp.ask.com/docs/toolbar |
| eBay Toolbar | http://pages.ebay.com/ebay_toolbar |
| Google Toolbar | http://toolbar.google.com |
| Yahoo! Companion Toolbar | http://companion.yahoo.com |
We provide support only for Browser Helper Objects appearing in this list. If you are having issues debugging a Web Application inside Internet Explorer, we recommend that you remove any Browser Helper Objects not on the list above.
We do not support any HTTP Analysis applications that run as Browser Helper Objects inside Internet Explorer as they conflict with the technology used by TracePlus.
The ability to attach to a running application was removed back in 1997 from all Win32 based TracePlus products due to the unreliability of such a method.
Specifically, in order to intercept API functions via LoadLibrary()/GetProcAddress(), TracePlus must see all API calls from the time that the application is started, otherwise API function calls will be missed.
Note that other products that have this functionality will have the same problem.
TracePlus is not compatible with SoftICE. If you want to run TracePlus, you must boot Windows without loading SoftICE. SoftICE is a registered trademark of Compuware/NuMega.
We have created a guide on selecting the best place to install TracePlus/Ethernet on your network.
The guide is located at http://www.sstinc.com/network_traffic.html (opens new window).
There are five scenarios in which the message "could not open the requested adapter" will appear:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCASp50
| To correct this problem, select "Reset TracePlus Ethernet Service" from the TracePlus group on the Start menu. Reboot your machine after running this utility. This works 99% of the time. |
| Search for PCASp50.SYS on your machine and see if you have multiple copies of this file. If you do, then you have more than one product using the same drivers. |
In any event, first try to use the solution described in scenario 1: Select "Reset TracePlus Ethernet Service" from the TracePlus group on the Start menu. Reboot your machine after running this utility. This works 99% of the time.
TracePlus dynamically loads its NDIS protocol drivers when the application is launched. However the Windows NT 4.x/2000/XP/2003 Server security model does not allow applications to load and unload device drivers when the logged-in user has no administrative privileges
If you encounter this issue, use "regedit.exe" to delete the following keys in your registry, then reboot your machine and restart TracePlus.
| Product Version | Registry Key |
| 1.x, 2.x, 3.x | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5 |
| 5.x | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCASP50 |
You can switch between different installed network adapters on your PC while TracePlus is running by using the Select Network Adapter option on the Settings menu in the Network Statistics window . If you are currently running a capture, then the Select Network Adapter option will not be available.
If the Select Network Adapter option is grayed out, locate the active Capture window and stop the Capture by pressing the Stop button on the toolbar. Then switch back to the Network Statistics window and select the option again.
One possible reason is that your hub is acting as a switch though labeled as a hub. Another possible reason is you are using a multi-speed hub, in which case you can't see the traffic from the stations operating at the speed that is different from the speed of your network adapter (i.e. if you have a 10 MBit network adapter, then you wouldn't see the traffic generated by 100 Mbit network adapters).
There are three ways you can use a packet analyzer if your local PC
is connected to a switch:
Remember that a switch only passes traffic through the a port on the switch if a packet is specifically addressed to that machine, or the packet has a broadcast address. If you don't use one of the above methods, you will only see packets routed to and from your local machine only.
We have created a short tutorial on how to configure the Cisco port mirroring feature called SPAN in order to monitor other network ports from your PC using TracePlus.
The tutorial is located at http://www.sstinc.com/cisco_span.html.
We have created a list of managed switches that support switch monitoring, port mirroring, or Cisco SPAN. These switch features are required in order to monitor other network ports from your PC using TracePlus.
The Managed Switch list is located at http://www.sstinc.com/switches.html.
On the TCP/UDP Ports tab of the Capture Settings dialog box, you can enter the various MSMQ port numbers to create a filter so that the matching packets will contain one of the selected port numbers. Below is a table of common MSMQ port numbers:
| Port | Protocol | Type |
| 1801 | TCP | MSMQ |
| 1801 | UDP | MSMQ |
| 2101 | TCP | MSMQ-DCS |
| 2103 | TCP | MSMQ-RPC |
| 2105 | TCP | MSMQ-RPC |
| 2107 | TCP | MSMQ-Mgmt |
| 3527 | UDP | MSMQ-Ping |
In order to capture DCOM packets, you must know which lower level protocol are carrying the DCOM packets, such as TCP/IP, IPX/SPX, or NetBIOS.
There is a relevant article on capturing DCOM packets on MSDN entitled "Understanding the DCOM Wire Protocol by Analyzing Network Data Packets" at http://www.microsoft.com/msj/0398/dcom.aspx.
Secure Hypertext Transfer Protocol (HTTPS) transfers encrypted information between computers over the World Wide Web. currently no sniffer tools can reconstruct HTTPS packets to primary plain contents except the packet header; in other words, if you are visiting a https website you can not get the URL from TracePlus web log, but associated connections information can be found in the "Connections" view.
On the TCP/UDP Ports tab of the Capture Settings dialog box, you can enter the port numbers of various streaming media protocols to create a filter so that the matching packets will contain one of the selected port numbers. Below is a table of streaming media port numbers:
| Port | Protocol |
| 554 | RTSP |
| 1755, 5005 | Microsoft Media Server |
| 7070, 7075 | PNM (also known as PNA) |
In order to monitor the traffic on a remote LAN, you should install TracePlus on a PC connected to the remote LAN (taking into account whether that PC is connected to a switch or a hub). If it is connected to a switch, make sure you read the topic Using TracePlus/Ethernet when you are connected to a network switch.
If the PC is running Windows XP or Windows 2003 Server you can enable the Remote Desktop Access feature as long as you have access to Remote Desktop through the firewall. Note that having access to Remote Desktop from the Internet through a firewall is a security risk.
You can also utilize other remote-access software such as Windows 2000 Terminal Server, Symantec PC Anywhere, Microsoft Virtual PC.
Many Gigabit network adapters have the "Checksum offload" feature enabled by default. When this is enabled, the adapter performs the time-consuming process of calculating the checksum which appears in both the IP header and in the TCP header of a packet.
For some network drivers, if the checksum calculations are offloaded then the checksum value(s) are set to zero. TracePlus captures each outgoing packet before it goes to the adapter, thus the checksum for the packet was not calculated.
To resolve this issue, you need to disable the adapter's Offload Transmit IP Checksum and Offload Transmit TCP Checksum feature in the Advanced Settings tab of the Properties dialog box for that network adapter.
TracePlus has a Bandwidth by IP View located in the Network Statistics window that contains traffic statistics and bandwidth measurements for all IP addresses.
You can sort the items in the grid by clicking on the column header representing the data to be used as sort criteria. A grey triangle will appear in the column header when you click on it. The triangle points to the top of the screen if the column is sorted in ascending order, and points to the bottom of the screen when the column is sorted in descending order. Consecutive clicks will alternate between ascending and descending sorts.
In the above example, we have sorted the Bandwidth by IP View by % of total packets, sorted in descending order. Note the gray triangle in the column header. The first row in the grid represents the top IP address based on total packets. The fact that this IP address has high amount of packets and a low bandwidth consumption indicates that the IP address is transmitting or receiving smaller size packets.
TracePlus has a Protocols View located in the Network Statistics window that contains traffic statistics for all protocols seen on your network.
You can sort the items in the grid by clicking on the column header representing the data to be used as sort criteria. A grey triangle will appear in the column header when you click on it. The triangle points to the top of the screen if the column is sorted in ascending order, and points to the bottom of the screen when the column is sorted in descending order. Consecutive clicks will alternate between ascending and descending sorts.
In the above example, we have sorted the Protocols View by % of total packets, sorted in descending order. Note the gray triangle in the column header. The first row in the grid represents the top protocol measured by total packets. This protocol accounts for 43% of the total packets and 81% of the total bytes.
TracePlus/Ethernet has a Conversations view located in the Network Statistics window that contains traffic statistics and bandwidth measurements for all IP addresses.
You can sort the items in the grid by clicking on the column header representing the data to be used as sort criteria. A grey triangle will appear in the column header when you click on it. The triangle points to the top of the screen if the column is sorted in ascending order, and points to the bottom of the screen when the column is sorted in descending order. Consecutive clicks will alternate between ascending and descending sorts.
In the above example, we have sorted the Conversations View by % of total packets, sorted in descending order. Note the gray triangle in the column header. The first row in the grid represents the top conversation measured by total packets. This conversation accounts for 33% of the total packets and 72% of the total bytes.
TracePlus/Ethernet captures network packets at what is called the NDIS (Network Driver Interface Specification) layer in Windows. The driver for the wireless adapter converts the 802.11a/b/g packets into standard Ethernet packets before passing them along to Windows.
So the answer is that TracePlus can see Ethernet traffic from a wireless adapter, but not the native 802.11a/b/g packets.
TracePlus/Ethernet captures network packets at what is called the NDIS (Network Driver Interface Specification) layer in Windows. Traffic transmitted or received on the local loopback address 127.0.0.1 is routed through the TDI (Transport Driver Internface) layer (the layer below Winsock), so TracePlus/Ethernet will not be able to see it.
We have another product called TracePlus®/Winsock which can see the local loopback traffic at the Application layer which is the Winsock API. You would need to start a debug session with the application that is listening on a port bound to the local loopback address in order to see the traffic.
For more information on TracePlus/Winsock, visit http://www.sstinc.com/winsock.html.
| Feature | TracePlus®/Web Detective (eBusiness Edition) | TracePlus®/Web Detective (Standard Edition) |
| Capacity of the Protocol View | 7,500 events | 5,000 events |
| Capacity of the Data View | 25,000 lines | 15,000 lines |
| HTTP Extension Framework support |  |
|
| Measures server connection times | |
|
| Separate Cookie View | |
|
| Microsecond timing accuracy | |
|
| Compression statistics for objects | |
|
| Displays whether object is cachable in the Object and Page View | |
|
| "Before request and after response" browser cache comparisons | |
|
| Time to First Byte calculation | |
|
| Low speed connection emulation | |
|
| Graphical comparison of server load | |
|
| Graphical comparison of server response time | |
|
| Graphical object download timeline | |
|
| Graphical comparison of object download speed | |
|
| Attaching comments to items in Views | |
|
| Syntax coloring HTTP/HTTPS header display | |
Socket communications created within a Java applet can be seen by TracePlus/Web Detective (both Standard and eBusiness Editions) because the Java Runtime Environment (JRE) makes calls to the Winsock API which has been hooked by TracePlus.
Any data transmitted or received on the socket will appear as packets in the Data View. If data is recognized as HTTP or a HTTP-derived protocol, it will appear in the Protocol View. If the data is recognized as HTTP, entries will appear in the Object View and Page View as well.
You can debug your Java applets by launching them from TracePlus via the JRE as outlined here, or you can debug Java applets appearing in Web pages by debugging Internet Explorer, Netscape Navigator, or FireFox. In this case, TracePlus will hook the JRE loaded by the specified web browser.
TracePlus/Web Detective (Standard and eBusiness Edition) can decrypt and display HTTPS traffic on encrypted SSL connections at any bit rate.
TracePlus/Web Detective (Standard and eBusiness Edition) display HTTP protocol information for SSL transactions if the application uses the Microsoft WININET API. This includes versions of Internet Explorer from 4.x through 7.x.
If you are using the Sun Java Runtime Environment, SSL traffic from Java applets will not be displayed because the JRE does not use WININET for SSL connections.
TracePlus/Web Detective (Standard and eBusiness Edition) display HTTP protocol information for SSL transactions if the application uses the Open Source NSS v3.4 and NSPR v4 APIs. This includes Mozilla FireFox 1.x or higher, as well as Netscape Navigator 8.x or higher.
If you are using the Sun Java Runtime Environment, SSL traffic from Java applets will be displayed because the JRE makes use of NSS and NSPR for SSL connections.
TracePlus/Winsock displays SSL transactions in encrypted form only. The SSL encryption occurs before an application makes calls to Winsock. Because TracePlus hooks in at the Winsock level, the data is already encrypted by the time TracePlus sees it. Therefore TracePlus cannot display the data at the Winsock level unencrypted. In general, we believe that this is the correct behavior, because if we could decrypt it, it wouldn't be much of an encryption method!
Web applications such as Web portals are often configured using SSL ports other than 443. In order for TracePlus to display the relevant HTTP methods and responses in unencrypted text, it needs to know any SSL port numbers you may be using other than port 443.
On the Settings Tab In the Capture Options dialog box, there is a group of edit fields titled "SSL Ports" .Here you would specify 7002 as a valid SSL port number. Note that port 443 is specified by default and cannot be changed.
Below is a comparison chart between TracePlus/Win32 and the Microsoft Logger application provided with the Debugging Tools for Windows toolkit.
| Feature | TracePlus/Win32 | Microsoft Logger |
| User interface | Interactive via GUI and command line | Two separate applications |
| Requires installation of the Debugging Tools for Windows | No | Yes |
| Individual API calls selectable. | Yes | No (Viewer only) |
| Shows call stack | Yes | No |
| Timing accuracy | Microsecond | Millisecond |
| Delta and Relative times for events | Yes | No |
| Actual process and thread IDs available in log | Yes | No |
| Shows call stack | Yes | No |
| LoadLibrary() and LoadLibraryEx() calls display DLL version information on success. | Yes | No |
| Support for Access Control APIs | Yes | No |
| Support for Networking API | Yes | No |
| Support for ODBC | Yes | No |
| Support for SQL Statements via ODBC | Yes | No |
| Support for TAPI | Yes | No |
| Status view shows DLL loads and unloads | Yes | No |
| Status view shows version numbers of DLLs being loaded | Yes | No |
| Status view shows COM and ActiveX object creation | Yes | No |
| Integrated compression for binary log files | Yes | No |
| File I/O displayed in separate view | Yes | No |
| Registry operations displayed in separate view | Yes | No |
TracePlus/Win32 displays the contents of both Input and Output parameters bound to ODBC SQL statements.
The Parameters are displayed in the Diagnostics View, inside the text of either the ODBC functions SQLExecDirect() or SQLExecute(). You can locate these API functions fast by selecting Find from the Edit menu.
Be sure that you have selected these two functions on the API Functions tab of the C
