Site Update

February 16th, 2010 by Chris No comments »

Given the site a much needed update thanks to WPTouch. It is difficult give a good presentation to both large screen (desktops, laptops) as well as small screens (mobile phones, iPod, etc.). Think I finally have that resolved. So if this site now looks different when you view it from your phone, that’s actually a feature. :)

WinHelp Released

January 1st, 2010 by Chris No comments »

Just released version 1.0 of WinHelp. This is another tool I’ve created as much for myself as the community at large. I’ve tried to keep the interface simple and clean so the tool is easy to use.

I also tried to keep the layout task driven. So if you know what you are trying to accomplish, you can easily navigate down to finding the right answer.

Most of the details are a few pages in length so don’t forget to scroll down for more info.

Beyond the basic Windows commands, I tried to take the help a bit further. For example I also included common errors and how to work around them:

How to perform some simple troubleshooting tasks:

And even some help on writing batch files and automating processes:

Hope you find the tool to be useful!

Packet Decode and Port Find updated

January 1st, 2010 by Chris No comments »

Just released an update to both Packet Decode and PortFind. No major changes to either, just some minor additions. If you have any questions/problems, just let me know.

IPLookup Is Now PortFind

December 21st, 2009 by Chris No comments »

Decided to rename IPLookup to PortFind. Think the name is a bit more descriptive as I was never really happy with IPLookup. Of course the name change has reset the Apple approval process, so it will probably be next year before it is released.

IP Lookup 1.0

December 10th, 2009 by Chris No comments »

I’ve submitted a tool called IP Lookup to the app store for initial release. I honestly feel this is the most complete TCP and UDP port reference tool available anywhere. It currently has over 12,000 entries, and the list is still growing.


As you can see it includes a search function. Not only can you search on port numbers, but portions of the description as well. For example searching on the keyword “malware” produces a list of ports used by worms, backdoors, etc.


One of the key features of the tool is that the list is live sorted while you type. So as you start typing in your search criteria you’ll immediately see the results in the list.


Hope you enjoy the tool!

Packet Decode 1.2 released

December 10th, 2009 by Chris No comments »

Packet Decode version 1.2 has officially cleared the app store. If you have any questions or problems, please free free to post in the comments section of the FAQ link at the top of the page.

Packet Decode 1.2 Complete

December 1st, 2009 by Chris No comments »

I just submitted version 1.2 of Packet Decode to Apple.This version adds in the IPv6 and ICMPv6 headers. I also made the version backwards compatible so folks who have not updated to 3.1.2 will be able to use it as well.

This version took a bit longer than expected to finish, as Pcap’s icmp6 protocol is pretty much broken. Took a while to develop the workarounds. In any event, I would expect it to hit the store front over the next week or two.

Test your skills

November 27th, 2009 by Chris No comments »

So you’ve grabbed a copy of Packet Decode and want to take it for a spin. Here’s a couple of possible options:

I maintain another site where I frequently post packet decode challenges. Feel free to check it out and take part.

OpenPackets has an excellent archive of both normal and malicious traffic flows. Grab a few trace files and have at it!

Version 1.1 of Packet Decode has been released

November 27th, 2009 by Chris No comments »

I’m happy to say version 1.1 of Packet Decode has cleared the Apple store approval process. If you’ve purchased a previous version, you should be able to grab the update for free.

This version includes decode info for ICMP, UDP and TCP. I’ve also tweaked some of the previous IP filters.The next revision is almost ready for submission. It will include decode info for IPv6 and ICMPv6. Given the lag in Apple’s app store checking, expect to see it about mid December.

Packet Decode released

November 18th, 2009 by Chris No comments »

I’m happy to say the initial release of Packet Decode has made it into the Apple app store. The initial version covers only the IP header. I have a version awaiting approval that also includes the ICMP, UDP and TCP headers. Over the next week or so I plan to submit another update that will also include the IPv6 and ICMPv6 headers as well. Have a feature recommendation? Please feel free to post it in the comments section of the FAQ.

I’m psyched about the release and have tried to make the app as easy to use as possible. Each header is displayed as a series of buttons, one for each field of the header. You simply touch the button you are interested in for more details.


For example touching the TCP flags field would produce this screen:


Each bit of the flag is another button you can touch to drill down on more info. The main screen gives you some general info about the flags. Note the clipped text at the bottom of the screen shot. The text section is scrollable. There’s a method to my madness of making the text scrollable rather than the whole screen. The reason becomes apparent if you drill down on any of the specific flags. For example the FIN flag is shown below:


Again, scrollable text to tell you all about the field (or in this case a single bit). See the two buttons at the bottom? I wanted those to always be at the bottom of the screen. My through process was someone new to packet decoding would read all the text and would not mind paging down to find the buttons. Someone who already knows about FIN would get annoyed however at having to page down every time they want to navigate to the filter examples. Again the solution was to make the text scrollable rather than the whole page.

If you navigate down to the tcpdump filters, you’ll get a screen similar to the following:


Rather than just giving you syntax, I tried to give you useful examples. Again, this field scrolls so you may want to check to see if there are additional examples off of the bottom of the page.

I used a slightly different format when it came to Wireshark and tshark. With tcpdump and Windump, you can use the same filter to capture traffic as well as filter the display. Wireshark and tshark actually use a different syntax for each, so I broke them out into two different sections:


When it comes to display filters, I did not list all possibilities. I actually found that some of the display filters are either broken or off by default. For example ip.checksum_bad does not work unless you specifically tell Wireshark you want to validate checksums. So instead I list only ip.checksum which always works and will print the value in Hex.

I also noticed all of the ip.tos.XXX display filters no longer work. Looks like the implementation of ip.dsfield which overlaps the same bits has broken them. Kind of a bummer as dsfield is not yet official. So rather than showing you display filters that don’t work, I decided to omit them.

I hope you find the tool useful!