I also tried to keep the layout task driven. So if you know what you are trying to accomplish, you can easily navigate down to finding the right answer.

Most of the details are a few pages in length so don’t forget to scroll down for more info.

Beyond the basic Windows commands, I tried to take the help a bit further. For example I also included common errors and how to work around them:

How to perform some simple troubleshooting tasks:

And even some help on writing batch files and automating processes:

Hope you find the tool to be useful!

As you can see it includes a search function. Not only can you search on port numbers, but portions of the description as well. For example searching on the keyword “malware” produces a list of ports used by worms, backdoors, etc.

One of the key features of the tool is that the list is live sorted while you type. So as you start typing in your search criteria you’ll immediately see the results in the list.

Hope you enjoy the tool!

This version took a bit longer than expected to finish, as Pcap’s icmp6 protocol is pretty much broken. Took a while to develop the workarounds. In any event, I would expect it to hit the store front over the next week or two.

I maintain another site where I frequently post packet decode challenges. Feel free to check it out and take part.

OpenPackets has an excellent archive of both normal and malicious traffic flows. Grab a few trace files and have at it!

This version includes decode info for ICMP, UDP and TCP. I’ve also tweaked some of the previous IP filters.The next revision is almost ready for submission. It will include decode info for IPv6 and ICMPv6. Given the lag in Apple’s app store checking, expect to see it about mid December.

I’m psyched about the release and have tried to make the app as easy to use as possible. Each header is displayed as a series of buttons, one for each field of the header. You simply touch the button you are interested in for more details.

For example touching the TCP flags field would produce this screen:

Each bit of the flag is another button you can touch to drill down on more info. The main screen gives you some general info about the flags. Note the clipped text at the bottom of the screen shot. The text section is scrollable. There’s a method to my madness of making the text scrollable rather than the whole screen. The reason becomes apparent if you drill down on any of the specific flags. For example the FIN flag is shown below:

Again, scrollable text to tell you all about the field (or in this case a single bit). See the two buttons at the bottom? I wanted those to always be at the bottom of the screen. My through process was someone new to packet decoding would read all the text and would not mind paging down to find the buttons. Someone who already knows about FIN would get annoyed however at having to page down every time they want to navigate to the filter examples. Again the solution was to make the text scrollable rather than the whole page.

If you navigate down to the tcpdump filters, you’ll get a screen similar to the following:

Rather than just giving you syntax, I tried to give you useful examples. Again, this field scrolls so you may want to check to see if there are additional examples off of the bottom of the page.

I used a slightly different format when it came to Wireshark and tshark. With tcpdump and Windump, you can use the same filter to capture traffic as well as filter the display. Wireshark and tshark actually use a different syntax for each, so I broke them out into two different sections:

When it comes to display filters, I did not list all possibilities. I actually found that some of the display filters are either broken or off by default. For example ip.checksum_bad does not work unless you specifically tell Wireshark you want to validate checksums. So instead I list only ip.checksum which always works and will print the value in Hex.

I also noticed all of the ip.tos.XXX display filters no longer work. Looks like the implementation of ip.dsfield which overlaps the same bits has broken them. Kind of a bummer as dsfield is not yet official. So rather than showing you display filters that don’t work, I decided to omit them.

I hope you find the tool useful!