WildPackets Decoder Reference

Doc version 5.1.0.4, updated 5/19/03

for AiroPeek 2.0, AiroPeek NX v2.0 or higher

Introduction
Overview
	Instructions
	Global Variables
	Local Variables
	The Previous Test
	String Arrays
File Formats
Threaded Decoding
Examples
	Creating Your Own Decoders
	New 802.2 LSAP Types
	New SNAP Types
	New IP Types
	New TCP Types
	New UDP Types
Decoder Instructions
Data Formats
	Data Format Representation
	Data Location Field
	Data Style Field
Label Format Representation
	Label Newline Field
	Label Location Field
	Label Style Field
Instruction Index

Introduction

This document is a guide to WildPackets' language for decoding packets in the Peek products. The language described here enables our customers to extend the decoders we have provided or to create new ones. We have devised a simple, interpreted language designed specifically for displaying network frames for several media types. The language includes instructions for displaying data, controlling the sequence of instructions, manipulating data values, and conditional execution. The format of decoder files, a detailed description of each instruction and its effects, and the tools needed for creating decoder files are discussed.

Overview

The decode of a protocol is accomplished through a collection of decoders. Each decoder is uniquely named and contains a sequence of decode instructions. An important part of the decoding process is the ability of decoders to link to other decoders. This allows a modular design, and eliminates the need for duplication of decoders for the decoding of different packets with the same first layers. Decoders of one file may use decoders of others.

The decoding process follows the layers of the protocols from the bottom layer to the top, and as layers are encountered, decoders will call other decoders and relinquish the decoding task to them. There is some strong presumption that the bottom layers appear first in the packet although there is some ability to handle the decoding when this is not exactly the case.

Each decoder is a combination of one or more decoding instructions. Most instructions are composed of a decode instruction, a value, some option fields, and a string. When the user decides to decode a packet, the decode manager is called with a pointer to the first byte of the packet. As decode instructions are encountered and executed, this pointer is incremented as dictated by the instruction type, in preparation for the next instruction. Packet data that is processed by the instruction may be saved for later use in global or local variables.

Stated another way, the pointer to the data in the packet and a decoder instruction operate on one or more bytes in the packet and the pointer moves along correspondingly. In some cases, an instruction may operate only on bits within a byte.

When the decode manager runs out of instructions, it will display the rest of the packet in a generic data format. Depending on the media type, the last of the remaining bytes are reserved for the FCS (4 bytes, Ethernet or Wireless), or not (0 bytes, Token Ring). If the decode manager runs out of packet data before exhausting the instructions an error message is displayed, notifying the user that not enough bytes were available. Nevertheless, using the different patterns of instructions, it is still possible in some cases to scan beyond the end of the packet or to create infinite loops so some caution should be exercised.

Instructions

A decoder is a sequence of one or more instructions. A typical instruction has a type, a value, an option, a data style, a label style, and a string (that may be empty).

Type	A four character code identifying the decoder instruction.
Value	A signed 32-bit value. The two high bits are used to provide options for certain instructions.
Global	A signed 32-bit value. The 26 high bits are used to provide options for certain instructions. The low 5 bits represent the index of a global variable.
Data Style	A 1-byte value containing fields for text location and style.
Label Style	A 1-byte value containing fields for text location, style, and a new line option.
String	An ASCII string to be used as a label or the name of another decoder or a string array.

Fundamentally, a single decoder instruction is intended to provide enough information to yield a label and a value after that label. The decode instruction also includes formatting information about both the label and data parts. Of course, there is no requirement to do both a label and data portion in each instruction and there are some decoder instructions that just operate on the data without displaying either a label or data, or instructions which just control the flow of instructions: test and branch, subroutine call, etc.

Global Variables

The decoders have access to 32 long word (32-bit) global areas, where they may save information for later use. There is also one implicit Boolean global, for use in test instructions. These globals provide the ability to interpret data in later parts of a packet, in accordance to values in earlier bytes of that packet.

Global Variable Format Representation

Bit(s)	Meaning
0x00000040	Local bit on global
0x00000080	Register bit on value;
0x00000100	Previous Test bit (TEQU family only)
0x00080000	Constant value bit
0x0FF00000	Number of bits to skip
0x20000000	Skip bit
0x40000000	Branch bit
0x80000000	Debugger break

Local Variables

The decoders have access to 32 long word (32-bit) local variables, where they may save information for later use inside a particular decode. These local variables provide the ability to use data from earlier parts of a decode. To use a local, instead of setting the Most Significant Bit(MSB), you will instead set the 2nd MSB. See example below, which adds 3 to the local variable 2. **Note: You can only move global variables to local variables.

ADDG 3 42;		* add 3 to local 2
ADDG 3 82;		* add global 3 to local 2
ADDG 40000003 c2;		* add local 3 to local 2

As indicated by any given instruction, the global field will determine which local to use in the operation. For example, after reading two bytes of the packet, you may wish to store it in local number 3, for use later, like the example above.

The Previous Test

Several decoder instructions perform tests to be used in other conditional instructions. For example, one instruction may compare packet data to a value or a value to a global and then a subsequent instruction will conditionally display a string or branch to another decoder. The decoder mechanism keeps track of the status of tests. See the table of instruction descriptions for instructions that take advantage of this feature. Here is an example:

void Test;
  MOVE 2 1;		* move 2 into g2
  SEQU 2 1;		* is 2 == g1 ?
  SKIP 1;
    LABL -They are not equal;
  TRTS;

Below is a variation of the example using ENDS instead of specifying the actual number to skip:

void Test;
  MOVE 2 1; 		* move 2 into g2
  SEQU 2 1; 		* is 2 == g1 ?
   SKIP;
    LABL -They are not equal;
   ENDS;
   TRTS;

And the "coup de grat" is the following example that sets the "skip bit" on the SEQU that instructs it to skip the instructions up to the ENDS instruction. In other words, if the test is true the enclosed block is executed.

void Test;
  MOVE 2 1;		* move 2 into g2
  SEQU 2 20000001;		* if 2 == g2 ?
    LABL -They are equal;
  ENDS;
  TRTS;

In the above example the skip bit is the 3rd highest significant bit on the global. The skip bit is supported by all of the S* functions including SEQU, SNEQ, SLTE, SGTE, and SBIT.

String Arrays

The other major component of decoders are string arrays referred to here as "str#" resources (because they're identified by the string "str#"). String arrays are identified by a unique name and are composed of a list of strings located with a 1-based index. Indexed string arrays provide their own index. Decoders can make use of string arrays by extracting data from a packet, possibly doing some arithmetic, and either displaying a string from an array or calling a function specified in an array.

String arrays are identified by the lowercase string "str#" followed by a unique name. Each string in the array appears on a line by itself terminated by a semicolon. Here is an example:

str# MyStrings;
  String1;
  String2;
  String3;
  ;
  String5;
  String6;

The above string array is accessed in a linear manner. The line with only a semi-colon specifies an empty string entry. A variation of the string array is the indexed string array. This type of str# allows the index of entries to be specified with a hex value of the entry followed by a '|' followed by a string. Here is an example:

str# MyStrings2;
  1 | String1;
  5 | String5;
  8 | String8; 
  9 | String9;

Another variation of the string is the mixed string array which includes indexed and non-indexed entries. Here is an example:

str# MyBitStr;
  3 | 1... Bit 3 is set;
      0... Bit 3 is not set;
  2 | .1.. Bit 2 is set;
      .0.. Bit 2 is not set; 
  1 | ..1. Bit 1 is set;
      ..0. Bit 1 is not set;

The string array in the example above is used with the BST# instruction.

File Formats

Decoders are stored in text files located in a directory adjacent to the program. Under MacOS, this directory is called "Packet Decoders"; under Windows, simply "Decodes". Individual decoders are identified by the lowercase string "void" followed by a unique name. Individual instructions follow the format: [instruction][value] [global] [data format] [label format] [string], where each element is separated by a tab character or one or more spaces. Each line is terminated by a semicolon. Here is an example:

void FTP;
  TEQU 0 10 0 30 FTP No Cmd Data;
  TLTE 5dc 10 0 30 FTP No Cmd Data;
  LABL 0 0 0 b1 FTP Control - File Transfer Protocol;
  TNXT 0 0 0 0 FTP Cmd or Reply; **

The same function could also be written as:

void FTP()
  {
     TEQU( 0, g[0x10], 0, 0x30, "FTP No Cmd Data");
     TLTE( 0x5dc, g[0x10], 0, 0x30, "FTP No Cmd Data");
     LABL( 0, 0, 0, 0xb1, "FTP Control - File Transfer Protocol");
     TNXT( 0, 0, 0, 0, "FTP Cmd or Reply");
  }

In the above example the parameters are enclosed in parenthesis. When parenthesis are used numbers are assumed to be decimals. In order to specify hex prefix numbers with 0x. In order to specify globals and locals use the g[] and l[] arrays.

Lines beginning with an asterisk "*" are ignored and can be used for comments.

**Notes: A dash can be used in place of the four number parameters when they are all equal to zero, i.e.,

TNXT -FTP Cmd or Reply;

can replace:

TNXT 0 0 0 0 FTP Cmd or Reply;

The TSUB instruction has become implicit for subroutine calls. It is not necessary to prefix a subroutine call with TSUB anymore. For example, what used to be:

TSUB 0 0 0 0 Foo;

or:

TSUB -Foo;

can also be simply:

Foo;

Specifying TSUB will still work but is not necessary.

Assignments and math on locals and globals can be done using the following syntax:

g[1] = 1;
l[1] = 2;
g[4] = l[4];
l[3] = g[6];

g[1] += 1;
l[1] += 2;
g[4] += l[4];
g[7] += g[6];
l[3] += g[6];
l[3] += l[6];

g[1] *= 0;
l[2] /= 2;
g[3] %= 1;
g[4] &= l[4];
g[5] |= 5;

Tests on locals and globals can be done using the following syntax:

if g[2] == 1 {
  LABL 0 0 90 c2 "g[2] == 0";
}

if g[2] == l[2] {
  LABL 0 0 90 c2 "g[2] == l[2]";
}

if l[1] == g[1] {
  LABL 0 0 90 c2 "l[1] == g[1]";
}

Tests can also be nested:

if g[1] <= l[2] {
  LABL 0 0 90 c2 "g[1] <= l[2]";

  if g[2] <= l[1] {
    LABL 0 0 90 c2 "g[2] <= l[1]";
  }
}

Packet data can be accessed in the following ways:

g[1] = pb[1];		* means GBYT 1 1;
g[1] = pb[0];		* means GBYT 0 1;
g[1] = pw[0];		* means GWRD 0 1;
g[1] = pl[0];		* means GLNG 0 1;
l[1] = pl[0];		* means GLNG 0 41;

In the above examples 'p' stands for packet, 'b' for byte, 'w' for word, and 'l' for long

While Loops

The following is example of while loops:

void main()
{
  g[1] = 0;
  while (g[1] < 5)
  {
    g[1] += 1;
    DGLB( 0, g[1], 0x90, 0xc2, "g[1]:");
  }

  g[1] = 5;
  while (g[1] > 0)
  {
    g[1] -= 1;
    DGLB( 0, g[1], 0x90, 0xc2, "g[1]:");
  }
}

Threaded Decoding

Packets usually contain the information needed to decode them into their protocol components. However, some protocol stacks use transactions in the form of a request packet followed by a response packet and the response packet does not contain any information about the type of request to which is responding. For example, in AFP (the AppleTalk File Protocol), a request will be made to get information about a file, and the response will contain the requested information, but the response packet does not identify itself as being the answer to a file information request. Because of the lack of information in the response packet, it could just as easily be interpreted as a response to a get volume parameters request. As a solution to this problem, the decoder language contains the WHOA instruction. This instruction takes the name of an indexed string as its string parameter. Each name in the string array is a choice of how to decode the next portion of the packet and this name is also the name of the decoder to be used. These choices are presented to the user in a dialog and the value field contains a number that is the index of the default choice that is highlighted in the list.

With this as the basis, it should be clear that the user must manually select a decode choice for those protocols that do not identify their responses. As an implementation detail, the program tends to remember the last choice selected and uses that one again for subsequent packets. However, such inference is often incorrect.

To extend the capabilities of the decoders, an additional mechanism was added that is referred to here as threaded decoding. First, the MARK instruction is added so that when a request packet is encountered, the packet is "marked" with the relevant information; in particular, the type of response that will be subsequently expected. Then, when the WHOA instruction is encountered at some later packet, the WHOA instruction checks to see if there is a marked packet that tells it how to decode the current packet. If so, the user is NOT prompted for input, but instead it is assumed that the decoding should be done as the previous MARK instruction indicated.

To clarify and illustrate the mechanism, consider the following example. A certain protocol sets up a socket-to-socket connection. Requests are made and non-request identifying responses are given. In the implementation of the protocol, the response is directed to the requester to a socket number that is unique on the requester's node. To write a decoder program for this situation, during the decode of the request the MARK instruction is processed. The string field of the MARK instruction contains the name of a string array that contains the names of all the possible response types. The value field tells which option is the correct one for this request. The source socket number is contained in a global variable and this global is passed to the MARK instruction. In processing the MARK instruction, the name of the string array (the str#), the choice of which item to use in the array, the number of the packet and the socket number passed in the global variable are stored together in LIFO memory, a.k.a., a cache.

In writing a decode program for the response, at the appropriate point where different types for the response are possible, the WHOA instruction is called. The string field of the WHOA instruction contains the name of a string array that contains the names of the all the possible response types. The value field tells which of these options is the default. The destination socket of the response has been saved in a global variable. In processing the WHOA instruction, the cache is searched for a match of both the socket number value contained in the global and the string array name. If a match is found, the choice from the possibilities, as stored in the cache by the MARK instruction, is used to decode the next portion of the packet. Moreover, if the WHOA instruction contains the number of a global variable in the high 8 bits of the value field, that global will get the number of the packet that contained the request placed into its value. If there is a match in the cache, execution continues with the designated decoder. If there is no match and the user makes a choice from those presented, execution continues with the corresponding chosen decoder. In all other cases, including when cancel is chosen, execution continues with the instruction following the WHOA instruction. Please see example below:

Mark and Whoa code example
1) Open decodes.dcd
2) Search for void SNMP

void SNMP;
     ASN1_Init;
     MOVE 0 11;  *enum testing is off
     LABL  0  0  0 b1 SNMP - Simple Network Management Protocol;
     WHOA  0  1  0  0 SNMP Exp Opt;
     WHOA  0  2  0  0 SNMP Exp Opt;
     SEQU a1  1;
     SKIP  5  0;
     SEQU a2  1;
     SKIP  3  0;
     MARK  2  2  0  0 SNMP Exp Opt;
     WHOA  0  2  0  0 SNMP Exp Opt;
     TNXT -Summary SNMP Fields;
     MARK  2  1  0  0 SNMP Exp Opt;
     WHOA  0  1  0  0 SNMP Exp Opt;
     TNXT -Summary SNMP Fields;

3) Notice MARK on line 11. It translates to MARK this packet as a possible help for a following packet, use the string array SNMP Exp Out to figure out the next possible decode. The value field tells which string to use based on the value global field, which is 2, later if this value in the global is matched then it will use the decode specified in the string array at position 2. It then stores this in a LIFO(Last In First Out) cache.
4) Notice WHOA on line 12. It translates to decode this packet based on information from a previous packet. Check global location 2 and see what value is there, if the value indexes to a string in the given string array, SNMP Exp Out, then jump to that named decoder.

Examples

Decoder programming is much like assembly language programming with very long assembly instructions. The following examples serve to illustrate how we have programmed the decoding of some of the protocols.

This is a typical, simple decode instruction:

HWRD 0 2 90 c2 Checksum:;

This instruction translates to: decode the next 16 bits as hexadecimal, the high order bit of value is zero so prepend a "0x" (ignore remaining bits in value), store the 16 bits in global variable number 2, and format the display as: new line, label at column 2, in data label style, with the given string, data in plain style beginning at column 24.

Here is another example:

HBYT 0 1 90 c2 AppleTalk Type:;
CEQU 1 1 0 14 Short DDP;
TTST 0 0 0 0 Short DDP;
CEQU 2 1 0 14 Long DDP;
TTST 0 0 0 0 Long DDP;

These instructions do the decoding of the byte that contains the LAP type in an AppleTalk DDP packet. After displaying the value in hexadecimal, a translation string of "Short DDP" or "Long DDP" is displayed in the message style if the LAP type is equal to 1 or 2 respectively. Further, if either the type is 1 or 2, decode execution switches to a decoder named "Short DDP" or "Long DDP" respectively.

The best source of examples is the decoders we've provided with the product. If you're using Microsoft Windows you can view the decoders with a text editor such as NotePad or WordPad. If you're using MacOS you can view the decoders with a text editor such as BBEdit.

Creating Your Own Decoders

Remember, your decoder and string arrays should be uniquely named over the set of all decoder files. If you fail to do this, it is not a fatal problem, but it can be confusing because, most likely, only the first occurrence of an item will be found. Many protocol stacks have names or acronyms that are exactly the same. Choose your decoder names judiciously. Also, old decoder files must be moved out of the directory tree of the application.

Inevitably, you will need to link your decoders into the parsing stream of the decoder mechanism by changing at least one of the existing decoder files. Here are some hints for commonly used control points.

New 802.2 LSAP Types

1. Make a copy of the "decodes.dcd" file as a backup and move it to a safe place.
2. Open the original file.
3. Locate the last instruction in the "LSAP::Names" decoder which is a "TRTS".
4. Add a new "CEQU" instruction immediately before the last "TRTS" instruction.
5. Edit the instruction value to be the hexadecimal value of the new LSAP.
6. Edit the instruction string to be the name of the new 802.2 type.
7. Base the rest of the instruction on preceding "CEQU" instructions.
The next steps add the jump point to the new LSAP type. Usually there are two possibilities: two jump points, (one for the DSAP and one for the SSAP) or one jump point which requires that both the DSAP and SSAP have the same new value.
8. Locate the decoder called "802_2::Common".
9. Go to the bottom of the decode "802_2::Common", you will see a "802_2::Data", this is a branch instruction similar to:

TSUB 0 0 0 0 802.2 Data;

TSUB -802.2 Data;

Follow the the branch to the new decode "802_2::Data".
10. Locate the last instruction in the "802_2::Data" decoder which is a "DUMP".
11. If you want two jump points on either LSAP, add two "TEQU" instructions before the last "DUMP" instruction. One "TEQU" will test global 1 and the other will test global 2. Look above in the decode at the handling of 802.2 SNA for an example (instructions number 15 and 16).
12. If you want one jump point, only if the DSAP and SSAP are both the new LSAP value, then add an "SEQU" and a "TEQU" instruction before the last "DUMP" instruction. The "SEQU" instruction will test global 1 and set the previous test flag and the "TEQU" instruction will test global 2 and, using a special option (setting the high bit in the global column) for the "TEQU" instruction, branch to the named decoder if the values match to globals. Look above at the handling of IP for an example.
13. Edit the values for the instructions you added.
14. Edit the strings for the instructions you added to be the name of the new decode to handle the new LSAP.
15. Save and close the file.

New SNAP Types

1. Make a copy of the "decodes.dcd" file as a backup and move it to a safe place.
2. Open the original file.
3. Locate the decoder called "SNAP::Names".
4. Locate the last instruction in the "SNAP::Names" decoder which is a "TRTS".
5. Add a new "CEQU" instruction before the "TRTS".
6. Edit the instruction value to be the hexadecimal value of the new SNAP.
7. Edit the instruction string to be the name of the new SNAP type.
8. Base the rest of the instruction on preceding "CEQU" instructions.
9. Locate the decoder called "SNAP".
10. Locate the last "TEQU" instruction.
11. Add a new "TEQU" instruction after the

TEQU 80c5 2 0 0 VINES Echo;

instruction.
12. Edit the instruction value to be the hexadecimal value of the new SNAP.
13. Edit the instruction string to be the name of the new jump point, the decoder that decodes the new SNAP type.
14. Base the rest of the instruction of preceding "TEQU" instructions.
15. Save and close the file.

New IP Types

1. Make a copy of the "decodes.dcd" file as a backup and move it to a safe place.
2. Open the original file.
3. Locate the decoder called "IP Common".
4. Add a new "TEQU" instruction at the top.
5. Edit the instruction value to be the hexadecimal value of the new IP type.
6. Edit the instruction string to be the name of the new decoder that handles the IP type.
7. Save and close the file.

New TCP or UDP Types

1. Make a copy of the "decodes.dcd" file as a backup and move it to a safe place.
2. Open the original file.
3. Locate the decoder called "TCP::Ports_Str".
4. Add a new entry above the first entry which should be

0x7 | Echo;

that will test the source port number stored in global 2.
5. Edit the instruction value to be the hexadecimal value of the new TCP or UDP type.
6. Edit the instruction string to be the name of the new decoder that handles the TCP or UDP type.
7. Examine subsequent instructions until you find them repeated. These instructions are testing the destination port number stored in global 2.
8. Add a new entry below your previous entry that will test the destination port number stored in global 2.
9. Edit the instruction value and string just as before.
10. Save and close the file.

If your decoder work has value to other users of our products, we would be happy to distribute your decoders along with our own, giving you credit for your work.

Decoder Instructions

Instruction	Value	Global	Increment	Description
ADDG	Value to add.	Global to store result. If the high bit of the global is on then add value numbered global to global, i.e., global[glob_num] += global[value] instead of global[glob_num] += value.	Add value to a specified global.	0
ANDG	Value to AND.	Global to AND. If the high bit of the global is on then and value numbered global with global, i.e., global[glob_num] &= global[value] instead of global[glob_num] &= value.	0	Logical AND value and a specified global.
AT01	If value is zero, the name table search will be made using zero as a net work number or as a LLAP address type depending on the media type. If value is set to 1, the search will be made assuming that the pointer is at the destination node address in a long DDP packet and it will look for the net number backwards accordingly. If value is set to 2, the search will be made assuming that the pointer is at the source node address in a long DDP packet and it will look for the net number backwards accordingly.	Result displayed is stored in this global.	1	AppleTalk 1 byte node number. Display as an AppleTalk address. Also an attempt is made to find that node in the name table.. If a match is made, then the name will be displayed.
AT03	not used	Result displayed is stored in this global.	3	AppleTalk 3 bytes. Display as an AppleTalk address. An attempt is made to find that address in the name table. If a match is made, then the name will be displayed.
ATLG	not used	Result displayed is stored in this global.	4	AppleTalk long. Display as an AppleTalk address. An attempt is made to find that address in the name table. If a match is made, then the name will be displayed.
BBIT	Number of bits. Second highest bit signifies to use LSB order.	Result displayed is stored in this global.	Value number of bits.	Display bits as binary.
BBYT	not used	Result displayed is stored in this global.	1	Display byte as binary.
BGLB	not used	Global to display.	0	Display a global in binary format.
BITO	not used	bit offset from byte is stored in this global location.	0	Get bit offset.
BLNG	not used	Result displayed is stored in this global.	4	Display a 32-bit integer in binary format as 32 binary digits with a leading '%' sign.
BREM	not used	Number of bytes remaining is stored in this global location.	0	Get number of remaining bytes of packet.
BST#	Value to subtract from global	Global to test bits specified in indexed string array with.	0	A str# resource with the following string name is loaded and the indexes in the entries are used as bit positions to test against the global. For each entry if the bit is the string is displayed, otherwise the string in the next is displayed if the next entry is an un-indexed entry.
BWRD	The second highest bit commands a byte swap (INTEL format).	Result displayed is stored in this global.	2	Display a 16-bit integer in binary format as 16 binary digits with a leading '%' sign.
BYTO	not used	Byte offset from start of packet is stored in this global location.	0	Get byte offset.
CBIT	Value to check against global.	Global to check against value. If the global has the high bit set then the previous test must also be true before displaying the string.	0	Test bit indicated by value in the specified global and if set then the string is displayed. Bit numbers start with zero as the least significant bit.
CEQU	Value to check against global.	Global to check against value. If the global has the high bit set then the previous test must also be true before displaying the string.	0	Test value against a global. The string is displayed if equal.
CGTE	Value to check against global.	Global to check against value. If the global has the high bit set then the previous test must also be true before displaying the string.	0	If value is greater than or equal to the specified global then the string is displayed. If the instruction global has the high bit on then the previous test must also be true before displaying the string. (ie. global <= value)
CHR#	If no global is specified, value is used for number of bytes to display. High bit signifies display as 7-bit ASCII, i.e., ignore the high bit of each byte.	If specified, global is used determine how many bytes to display.	Value or global	Display bytes as printing characters using ASCII.
CKSM	Value 1 indicates an AppleTalk DDP checksum. Value 2 indicates an IPv4 header checksum. Value 3 indicates a TCP, UDP, ICMP, or IGMP checksum.	not used	0	Verify checksums for various packet types and displays the correct checksum if the value contained in the packet is incorrect.
CLTE	Value to check against global.	Global to check against value. If the global has the high bit set then the previous test must also be true before displaying the string.	0	If value is less than or equal to the specified global then the string is displayed. (ie. global >= value)
CLSE	not used	not used	0	If the most recent test is false display the string.
CNEQ	Value to check against global.	Global to check against value. If the global has the high bit set then the previous test must also be true before displaying the string.	0	Test value against a global. The string is displayed if not equal.
CRLF	not used	not used	0	Insert a return or new line.
CST#	Value to subtract from global	Index into string resource	0	A str# resource with the following string name is loaded and an index (in a global) is used to get the string to be displayed. If there is a value it is subtracted from the global. If there is no such string then nothing happens, and the test result is set to false.
CSTR	High bit signifies display as 7-bit ASCII, i.e., ignore the high bit of each byte. Second highest bit signifies that the string is in UNICODE.	Length of the string (not including NULL terminator) is stored here.	Length of the string plus 1 for NULL terminator.	Display a C-style string. The string in terminated by a null character (byte value zero).
D64B	High bit signifies whether to display as signed. The second highest bit commands a byte swap (INTEL format).	Result displayed is stored in this global.	8	Display a 64-bit integer in decimal format. If the high bit of value is on then the data is displayed as a signed decimal, rather than unsigned. The second highest bit commands a byte and word swap (INTEL format).
DBIT	Number of bits. High bit signifies to display as signed number. Second highest bit signifies to use LSB order.	Result displayed is stored in this global.	Value number of bits.	Display bits as decimal.
DBYT	High bit signifies to display as signed.	Result displayed is stored in this global.	1	Display byte as decimal.
DECR	If no global specified, the number of bytes to decrement by.	If specified, holds the number of bytes to decrement by.	Negative Global or Value number of bytes.	Decrement the packet pointer by the global, or value, skipping backwards by the number of bytes specified.
DGLB	High bit signifies whether to display as signed.	Global to display.	0	Display a global in decimal format.
DIVG	Value to divide by	Global to store result. If the high bit of the global is on then divide value numbered global by global, i.e., global[glob_num] /= global[value] instead of global[glob_num] /= value.	0	Divide specified global by value.
DLNG	High bit signifies whether to display as signed. The second highest bit commands a byte swap (INTEL format).	Result displayed is stored in this global.	4	Display a 32-bit integer in decimal format.
DMPE	If value is 0, dump all the remaining bytes if the packet. If value is 1, leave enough bytes for CRC. Any other value means to output that number of bytes.	If specified, output the number of bytes contained within this global.	Number of bytes output	Display data in both hex and EBCDIC, side by side. Number of bytes is either in a global if specified, or in value, or is to the end of the packet.
DUMP	If value is 0, dump all the remaining bytes if the packet. If value is 1, leave enough bytes for CRC. Any other value means to output that number of bytes.	If specified, output the number of bytes contained within this global.	Number of bytes output	Display data in both hex and ASCII, side by side. Number of bytes is either in a global if specified, or in value, or is to the end of the packet.
DWRD	High bit signifies whether to display as signed. The second highest bit commands a byte swap (INTEL format).	Result displayed is stored in this global.	2	Display a 16-bit integer in decimal format.
EBC#	If no global is specified, value is used for number of bytes to display. High bit signifies display as 7-bit EBCDIC, i.e., ignore the high bit of each byte.	If specified, global is used determine how many bytes to display.	Value or global	Display bytes as printing characters using EBCDIC.
ENDS	not used	not used	0	End a SKIP block
ETHR	not used	not used	6	Six bytes as an Ethernet address. An attempt is made to translate the address into a DECnet address. Also an attempt is made to find that address and/or DECnet address in the name table. If a match is made, then the name will be displayed.
FCSC	not used	Result (checksum) is stored in this global location.	0	Calculates checksum based on packet media type.
FTPL	Value 1 is for use with FTP, SMTP, and POP style replies. Value 3 is for TELNET style command and data.	not used	Number of bytes output	Display data in both hex and ASCII, side by side. Number of bytes is determined by scanning for a command delimiter. Value 0 is for use with FTP, SMTP and POP style requests.
GBIT	Number of bits to retrieve.	Global location to store retrieved bits.	0	Take the number of bits specified in value and place them in the specified global without incrementing the packet pointer or displaying any information.
GBYT	Byte offset from current location in packet.	Global location to store retrieved byte.	0	Put a byte in the specified global without incrementing the packet pointer or displaying any information.
GLNG	Byte offset from current location in packet.	Global location to store retrieved long.	0	Put a 32-bit integer in the specified global without incrementing the packet pointer or displaying any information.
GSTR	If the 3rd highest bit is set, it specifies to use the value as the value to be searched for. If nothing is specified, the default value searched for will the NULL.	Byte offset from packet location up to where it found the value specified.	0	Get string length.
GWRD	Byte offset from current location in packet.	Global location to store retrieved word.	0	Put a 16-bit integer in the specified global without incrementing the packet pointer or displaying any information.
HBIT	Number of bits. High bit signifies not to prepend "0x".	Result displayed is stored in this global.	Value number of bits.	Display bits as hex.
HBYT	High bit signifies not to prepend "0x".	Result displayed is stored in this global.	1	Display byte as hex. Also useful for display or tests of greater than 4 bytes, where results have to be loaded in different globals.
HEX#	If no global is specified, value is used for number of bytes to display. High bit signifies whether to prepend "0x".	If specified, global is used determine how many bytes to display.	Value or global	Display bytes as hex.
HGLB	High bit signifies whether to prepend "0x".	Global to display.	0	Display a global in hexadecimal format.
HLNG	High bit signifies whether to prepend "0x". The second highest bit commands a byte swap (INTEL format).	Result displayed is stored in this global.	4	Display a 32-bit integer in hexadecimal format.
HWRD	High bit signifies whether to prepend "0x". The second highest bit commands a byte swap (INTEL format).	Result displayed is stored in this global.	2	Display a 16-bit integer in hexadecimal format.
INCR	If no global specified, the number of bytes to increment by.	If specified, holds the number of bytes to increment by.	Global or Value number of bytes.	Increment the packet pointer by the global, or value, skipping ahead by the number of bytes specified.
IPLG	not used	Result displayed is stored in this global.	4	Display an IPv4 address. An attempt is made to find that address in the name table. If a match is made, then the name will be displayed.
IPV6	not used	not used	16	Display an IPv6 address. An attempt is made to find that address in the name table. If a match is made, then the name will be displayed.
LABL	not used	not used	0	A label only. The instruction string is used as a label and is displayed. The packet pointer is not incremented.
LSTS	not used	not used	0	List start. If a string is provided, a count will be appended to it and displayed. The count will be incremented. Count starts at 1.
LSTE	not used	Indicates end of list if greater than or equal to list count.	0	List end. Execution returns to the last LSTS, unless global is less than or equal to the count.
LSTZ	not used	Indicates end of list unless it's less than or equal to zero.	0	List end. Execution continues at the last LSTS unless global is less than or equal to zero.
MARK	Index of string within the str# designated by the string field to use in future WHOA.	Contains the reference point for linking request and response packets, usually transaction ID or port # etc. Entered into the cache with packet number and value and string fields.	0	MARK a value and this packet number for later usage in the WHOA instruction by logging the relevant parameters in a cache. See the more detailed overall explanation of MARK and WHOA threading that follows.
MODG	Value to mod by.	Global to store result. If the high bit of the global is on then modulus value numbered global by global, i.e., global[glob_num] %= global[value] instead of global[glob_num] %= value.	0	Modulus specified global by value.
MOVE	not used	If the high bit of the instruction global is set then put value-numbered global into global.	0	Put value (or value contained within a global) in a specified global without incrementing packet pointer.
MULG	Value to multiply by.	Global to store result. If the high bit of the global is on then multiply value numbered global by global, i.e., global[glob_num] = global[value] instead of global[glob_num] = value.	0	Multiply value and a specified global.
NBNM	not used	16th byte of the decoded name (the resource or service code) is stored in this global.	Length of the name	Display NetBIOS (reversible half-ASCII) name.
NOTG	Value to NOT.	Global to store result. If the high bit of the global is on then store value numbered global into global, i.e., global[glob_num] ~= global[value] instead of global[glob_num] ~= value.	0	Logical NOT a specified global.
ORRG	Value to OR.	Global to OR. If the high bit of the global is on then store value numbered global into global, i.e., global[glob_num] \|= global[value] instead of global[glob_num] \|= value.	0	Logical OR value and a specified global.
OSTP	not used	Result displayed is stored in this global.	4	4 bytes displayed as characters.
POPX	not used	Value popped from stack is stored in this global.	0	Pops one value from the stack and stores the value in the global specified.
PORT	If value is set to 0, a 2-byte field is displayed as a TCP/UDP port. If value is set to 1, a 2-byte field is displayed as a NetWare port.	Result displayed is stored in this global.	2	Used to display a port field. If value is set to 0, a 2-bit field is displayed as a TCP /UDP port. If value is set to 1, a 2-bit field is displayed as a Netware port. In any of the above cases, also try to find a match in the name table, and display the name if found.
PRTO	If value is set to 1, a 2-byte field is displayed as an unsigned 16-bit integer depicting Ethernet Type II protocol type. If value is set to 2, a 1- byte field is displayed as an unsigned hexadecimal byte depicting the LSAP type (802.2). If value is set to 3, a 5-byte field is displayed as an 802.2 SNAP value in hexadecimal.	Result displayed is stored in this global. If it's an 802.2 SNAP ID, then only the bottom 4 bytes are stored.	If value is 0 or 1, increment is 2. If value is 2, increment is 1. If value is 3, increment is 5.	Used to display a protocol field. An attempt is made to find that protocol in the name table. If a match is made, then the name will be displayed.
PSTR	High bit signifies display as 7-bit ASCII, i.e., ignore the high bit of each byte.	Length of the string (not including length byte) is stored here.	Length of the string plus 1 for length byte.	Display a Pascal-style string. The first data byte indicates the length of the string.
PUSH	not used	Global value to push onto the stack.	0	Pushes a value onto the stack.
SBIT	Bit number to test.	Global to test.	0	Test the bit specified by value in the specified global and remember for the next test. Bit numbers start with zero as the least significant bit.
SCMP	Number of chars to compare.	not used.	0	Compares the number of bytes specified by value field to the string specified in the string field. If equal, the test boolean flag will be set to true.
SEQU	Value to check against global.	Global to check against value. If the high bit of the global is on then compare value numbered global with global, i.e., global[glob_num] == global[value] instead of global[glob_num] == value.	0	Check value against global, and set previous test if equal.
SGTE	Value to check against global.	Global to check against value. If the high bit of the global is on then compare value numbered global with global, i.e., global[glob_num] <= global[value] instead of global[glob_num] <= value.	0	Check value against global, and set previous test if greater than or equal.
SGTX	Value to check against global.	Global to check against value. If the high bit of the global is on then compare value numbered global with global, i.e., global[glob_num] < global[value] instead of global[glob_num] < value.	0	Check value against global, and set previous test if greater.
SHFL	Amount to shift left.	Global contains the value to shift.	0	Shifts the global value to the left the number specified in the value field.
SHFR	Amount to shift right.	Global contains the value to shift.	0	Shifts the global value to the right the number specified in the value field.
SKIP	Number of instructions to skip. If the value is 0 then the value will be determined by ENDS. If the high bit is set then skip if most recent test was false. If 2nd highest bit is set then do not skip. If 3rd highest bit is set then skip.	not used	0	Skip over value number of instructions if most recent test was true. If the high bit of the value is on then skip if most recent test was false. This is an easy way to branch over a few instructions without having to transfer to other decode resources. Note: You can not skip backwards (no negative values permitted).
SLTE	Value to check against global.	Global to check against value. If the high bit of the global is on then compare value numbered global with global, i.e., global[glob_num] >= global[value] instead of global[glob_num] >= value.	0	Check value against global, and set previous test if less than or equal.
SLTX	Value to check against global.	Global to check against value. If the high bit of the global is on then compare value numbered global with global, i.e., global[glob_num] > global[value] instead of global[glob_num] > value.	0	Check value against global, and set previous test if less than.
SNEQ	Value to check against global.	Global to check against value. If the high bit of the global is on then compare value numbered global with global, i.e., global[glob_num] != global[value] instead of global[glob_num] != value.	0	Check value against global, and set previous test if not equal.
SUBG	Value to subtract.	Global to store result. If the high bit of the global is on then subtract value numbered global from global, i.e., global[glob_num] -= global[value] instead of global[glob_num] -= value.	0	Subtract value from a specified global.
TBIT	Bit number to test.	Global to test. If global has 0x100 set, then previous test must also be true before transferring.	0	If the bit number contained in value is set then branch to the named decoder. Bit numbers start with zero as the least significant bit.
TEQU	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Test value against a global and branch to the named decoder if they match.
TGTE	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	If value is greater than or equal to a global then branch to the named decoder. (ie. global <= value)
TGTX	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	If value is greater than a global then branch to the named decoder. (ie. global < value)
TIME	If value is 1, format is AppleTalk AFP time. If value is 2, format is IP time. If value is 3, format is NTP time. If value is 4, format is ANSI time. If value is 5, format is SMB time.	Result displayed is stored in this global (except in the case of SMB time).	4 (or 8, in the case of SMB time)	4 (or 8) bytes are displayed in hexadecimal and then are used to display the corresponding time.
TLSE	not used	not used	0	If most recent test is false then branch to the named decoder.
TLTE	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	If value is less than or equal to a global then branch to the named decoder. (ie. global >= value)
TLTX	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	If value is less than a global then branch to the named decoder. (ie. global > value)
TNEQ	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Test value against a global. If not equal then branch to the named decoder.
TNXT	not used	not used	0	Branch to the named decoder.
TRNG	not used	not used	6	Six bytes as an 802.5 Token Ring address. Also an attempt is made to translate the address into a DECnet address. Also an attempt is made to find that address and/or DECnet address in the name table. The bit for source routing information is ignored for such searches. If a match is made, then the name will be displayed.
TRTS	not used	not used	0	Return from a subroutine. The return is to the instruction following the last TSUB encountered.
TST#	Value to subtract from global	Index into string resource	0	A str# resource with the following string name is loaded and an index (in a global) is used to get the name of the decoder to be loaded. If there is a value it is subtracted from the global. If there is no such name, nothing happens, but test result is set to false.
TSB#	Value to subtract from global	Index into string resource	0	A str# resource with the following string name is loaded and an index (in a global) is used to get the name of the decoder to be loaded. The decoder that is loaded will return upon completion. If there is a value it is subtracted from the global. If there is no such name, nothing happens, but test result is set to false.
TSUB	not used	not used	0	Subroutine branch to the named decoder. Remember the current instruction's location for the TRTS instruction. Subroutine nesting is limited to 16 levels.
TTST	not used	not used	0	If the most recent test is true, branch to the named decoder. Will also do a TEQU if a global is specified.
XTST	not used	not used	0	Similar to TTST, but after branching to the named decoder, it will return to this location.
XBIT	Bit number to test.	Global to test. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TBIT, but after branching to the named decoder, it will return to this location.
XEQU	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TEQU, but after branching to the named decoder, it will return to this location.
XGTE	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TGTE, but after branching to the named decoder, it will return to this location.
XGTX	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TGTX, but after branching to the named decoder, it will return to this location.
XLTE	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TLTE, but after branching to the named decoder, it will return to this location.
XLTX	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TLTX, but after branching to the named decoder, it will return to this location.
XNEQ	Value to check against global.	Global to check against value. If global has 0x100 set, then previous test must also be true before transferring.	0	Similar to TNEQ, but after branching to the named decoder, it will return to this location.
XLSE	not used	not used	0	Similar to TLSE, but after branching to the named decoder, it will return to this location.
WHOA	Default index of string within the str# designated by the string field to use in future WHOA. Upper 8 bits, if non-zero, indicate a global number where the packet number of the MARK is placed if a match is found.	Contains the reference point for linking request and response packets, usually transaction ID or port # etc. Used to search the cache along with the string field number, retrieving the value field and packet number.	0	See the more detailed overall explanation MARK and WHOA threading that follows. If a packet type can not be determined from data within the packet itself, a cache is searched to determine if some earlier packet did a MARK instruction to give a clue as to how to decode this packet. If no such entry exists in the cache, a question mark is displayed at the bottom of the decode window while a default decode is provided or the user's input is necessarily requested or the previous choice is assumed depending upon the current mode of operation. When the question mark is displayed or any other choice has been made either manually or through the MARK instruction, clicking on the name or question mark displayed at the bottom of the window causes the user's input to be requested again. Any value selected by explicit user input will override any previous choices made through the MARK or other mechanisms. The string should contain the name of a str# resource that contains the names of the decode resource choices that may be used on the next part of the packet.

Private Instructions

Instruction	Value	Global	Description
PRV1	not used	not used	Display packet timestamp.
PRV2	not used	Result is stored in this global.	Display internal packet flags.
PRV3	not used	Result is stored in this global.	Display internal packet status.
PRV4	not used	Result is stored in this global.	Display packet length.
PRV5	not used	Result is stored in this global.	Display packet slice length.
PRV6	not used	Result is stored in this global.	Display 802.3 length field (as opposed to the Ethernet Type II protocol field located in the same location).
PRV7	not used	not used	Reserved for future use.
PRV8	not used	not used	Reserved for future use.

Data Formats

In every decode instruction the data format is one byte. It can be divided into two 4-bit sections: the high 4 bits signify the columnar location to display the data (the data location bits) and the low 4 bits signify the style (color, etc.) in which the data should be displayed (the data style bits).

Data Format Representation

Bit	7	6	5	4	3	2	1	0
Field	Format				Style

Data Location Field

Value	Meaning
0x0	Display data immediately with no spaces.
0x1	Display data after a carriage return.
0x2	Skip 2 spaces, then display data.
0x3	Skip 4 spaces, then display data.
0x4	Display data beginning in column 4.
0x5	Display data beginning in column 8.
0x6	Display data beginning in column 12.
0x7	Display data beginning in column 16.
0x8	Display data beginning in column 20.
0x9	Display data beginning in column 24.
0xA	Display data beginning in column 28.
0xB	Display data beginning in column 32.
0xC	Display data beginning in column 36.
0xD	Display data beginning in column 40.
0xE	Display data beginning in column 44.
0xF	Display data beginning in column 48.

Data Style Field

Value	Meaning
0x0	Plain data.
0x1	Layer label.
0x2	Data label.
0x3	header label (for use with PRVx instructions).
0x4	Message.
0x5	Invisible.
0x6	Data dump label.
0x7	Indent.
0x8	Unindent.
0x9	Unused.
0xA	Unused.
0xB	Unused.
0xC	Unused.
0xD	Unused.
0xE	Unused.
0xF	Unused.

Label Formats

In every decode instruction the label format is one byte. The label format byte can be divided into one 1- bit field (the highest bit) which tells whether a new line should precede the label (the newline bit), one 3- bit field that tells the columnar location to display the label (the label location bits), and one 4-bit field (the lowest bits) which tell the style (color, etc.) in which the label should be displayed (the label style bits).

Label Format Representation

Bit	7	6	5	4	3	2	1	0
Field	Line	Format			Style

Label Newline Field

Value	Meaning
0x0	No new line before label.
0x1	New line before label.

Label Location Field

Value	Meaning
0x0	Display label immediately with no spaces.
0x1	Skip 2 spaces, then display data.
0x2	Skip 4 spaces, then display data.
0x3	Display label beginning in column 0.
0x4	Display label beginning in column 2.
0x5	Display label beginning in column 24.
0x6	Display label beginning in column 32.
0x7	Display label beginning in column 36.

Label Style Field

Value	Meaning
0x0	Plain.
0x1	Layer label.
0x2	Data label.
0x3	Header label (for use with PRVx instructions).
0x4	Message.
0x5	Invisible.
0x6	Unused.
0x7	Indent.
0x8	Unindent.
0x9	Unused.
0xA	Unused.
0xB	Unused.
0xC	Unused.
0xD	Unused.
0xE	Unused.
0xF	Unused.

Instruction Index

A	B	C		D		E	F	G
ADDG	BBIT	CBIT	CRLF	D64B	DMPE	EBC#	FCSC	GBIT
ANDG	BBYT	CEQU	CST#	DBIT	DUMP	ETHR	FTPL	GBYT
AT01	BEEP	CGTE	CSTR	DBRK	DWRD			GLNG
AT03	BGLB	CHR#		DBYT				GSTR
ATLG	BITO	CKSM		DECR				GWRD
	BLNG	CLSE		DGLB
	BREM	CLTE		DIVG
	BST#	CNEQ		DLNG
	BWRD
	BYTO

H	I	L	M	N	O	P	S
HBIT	INCR	LABL	MARK	NBNM	ORRG	POPX	SBIT	SKIP
HBYT	IPLG	LSTE	MODG	NOTG	OSTP	PORT	SCMP	SLTE
HEX#	IPV6	LSTS	MOVE			PRTO	SEQU	SLTX
HGLB		LSTZ	MULG			PSTR	SGTE	SNEQ
HLNG						PUSH	SGTX	SUBG
HWRD							SHFL
							SHFR

T		W	X
TBIT	TRAK	WHOA	XBIT
TEQU	TRNG		XEQU
TGTE	TRTS		XNEQ
TGTX	TSB#		XGTE
TIME	TST#		XGTX
TLSE	TSUB		XLSE
TLTE	TTST		XLTE
TLTX	TYPE		XLTX
TNEQ			XNEQ
TNXT			XTST