So you’ve grabbed a copy of Packet Decode and want to take it for a spin. Here’s a couple of possible options:

I maintain another site where I frequently post packet decode challenges. Feel free to check it out and take part.

OpenPackets has an excellent archive of both normal and malicious traffic flows. Grab a few trace files and have at it!

I’m happy to say version 1.1 of Packet Decode has cleared the Apple store approval process. If you’ve purchased a previous version, you should be able to grab the update for free.

This version includes decode info for ICMP, UDP and TCP. I’ve also tweaked some of the previous IP filters.The next revision is almost ready for submission. It will include decode info for IPv6 and ICMPv6. Given the lag in Apple’s app store checking, expect to see it about mid December.

I’m happy to say the initial release of Packet Decode has made it into the Apple app store. The initial version covers only the IP header. I have a version awaiting approval that also includes the ICMP, UDP and TCP headers. Over the next week or so I plan to submit another update that will also include the IPv6 and ICMPv6 headers as well. Have a feature recommendation? Please feel free to post it in the comments section of the FAQ.

I’m psyched about the release and have tried to make the app as easy to use as possible. Each header is displayed as a series of buttons, one for each field of the header. You simply touch the button you are interested in for more details.

For example touching the TCP flags field would produce this screen:

Each bit of the flag is another button you can touch to drill down on more info. The main screen gives you some general info about the flags. Note the clipped text at the bottom of the screen shot. The text section is scrollable. There’s a method to my madness of making the text scrollable rather than the whole screen. The reason becomes apparent if you drill down on any of the specific flags. For example the FIN flag is shown below:

Again, scrollable text to tell you all about the field (or in this case a single bit). See the two buttons at the bottom? I wanted those to always be at the bottom of the screen. My through process was someone new to packet decoding would read all the text and would not mind paging down to find the buttons. Someone who already knows about FIN would get annoyed however at having to page down every time they want to navigate to the filter examples. Again the solution was to make the text scrollable rather than the whole page.

If you navigate down to the tcpdump filters, you’ll get a screen similar to the following:

Rather than just giving you syntax, I tried to give you useful examples. Again, this field scrolls so you may want to check to see if there are additional examples off of the bottom of the page.

I used a slightly different format when it came to Wireshark and tshark. With tcpdump and Windump, you can use the same filter to capture traffic as well as filter the display. Wireshark and tshark actually use a different syntax for each, so I broke them out into two different sections:

When it comes to display filters, I did not list all possibilities. I actually found that some of the display filters are either broken or off by default. For example ip.checksum_bad does not work unless you specifically tell Wireshark you want to validate checksums. So instead I list only ip.checksum which always works and will print the value in Hex.

I also noticed all of the ip.tos.XXX display filters no longer work. Looks like the implementation of ip.dsfield which overlaps the same bits has broken them. Kind of a bummer as dsfield is not yet official. So rather than showing you display filters that don’t work, I decided to omit them.

I hope you find the tool useful!

Protocol Decode has been submitted to the app store for approval. It will easily run on both the IPhone and IPod. First release just has the IPv4 header but I’m already working on a bunch of other protocols including IPv6.

I am very excited about this application as it was the first thing I tried to find in the app store when I got my Touch. Just touch the field you are interested in and you will navigate to a detailed view. From there you can choose to see sample filters for tcpdump, Windump, Wireshark and tshark. Everything an inspiring packet decoder needs for a reference.