Packet Decode released

November 18th, 2009 by Chris Leave a reply »

I’m happy to say the initial release of Packet Decode has made it into the Apple app store. The initial version covers only the IP header. I have a version awaiting approval that also includes the ICMP, UDP and TCP headers. Over the next week or so I plan to submit another update that will also include the IPv6 and ICMPv6 headers as well. Have a feature recommendation? Please feel free to post it in the comments section of the FAQ.

I’m psyched about the release and have tried to make the app as easy to use as possible. Each header is displayed as a series of buttons, one for each field of the header. You simply touch the button you are interested in for more details.


For example touching the TCP flags field would produce this screen:


Each bit of the flag is another button you can touch to drill down on more info. The main screen gives you some general info about the flags. Note the clipped text at the bottom of the screen shot. The text section is scrollable. There’s a method to my madness of making the text scrollable rather than the whole screen. The reason becomes apparent if you drill down on any of the specific flags. For example the FIN flag is shown below:


Again, scrollable text to tell you all about the field (or in this case a single bit). See the two buttons at the bottom? I wanted those to always be at the bottom of the screen. My through process was someone new to packet decoding would read all the text and would not mind paging down to find the buttons. Someone who already knows about FIN would get annoyed however at having to page down every time they want to navigate to the filter examples. Again the solution was to make the text scrollable rather than the whole page.

If you navigate down to the tcpdump filters, you’ll get a screen similar to the following:


Rather than just giving you syntax, I tried to give you useful examples. Again, this field scrolls so you may want to check to see if there are additional examples off of the bottom of the page.

I used a slightly different format when it came to Wireshark and tshark. With tcpdump and Windump, you can use the same filter to capture traffic as well as filter the display. Wireshark and tshark actually use a different syntax for each, so I broke them out into two different sections:


When it comes to display filters, I did not list all possibilities. I actually found that some of the display filters are either broken or off by default. For example ip.checksum_bad does not work unless you specifically tell Wireshark you want to validate checksums. So instead I list only ip.checksum which always works and will print the value in Hex.

I also noticed all of the ip.tos.XXX display filters no longer work. Looks like the implementation of ip.dsfield which overlaps the same bits has broken them. Kind of a bummer as dsfield is not yet official. So rather than showing you display filters that don’t work, I decided to omit them.

I hope you find the tool useful!


Leave a Reply

You must be logged in to post a comment.