In incident response or intelligence gathering the question “what happened on the network” is commonplace. As adversaries are deploying remote access trojans onto target networks being able to answer that question depends upon your ability to understand the protocols being used. Some protocols are well understood by common utilities like wireshark, but what do you do when the protocol is foreign to your tools? You have to write a custom decoder. We will present Chopshop, an open source framework for protocol analysis and decoding. Chopshop tries to make the task of writing a custom protocol decoder as easy as possible by presenting a standard API for the decoder and a rich set of libraries. The decoders are modules that run on top of the framework, which makes sharing the decoders with third parties and partners considerably easier. We will demonstrate Chopshop in the context of the gh0st protocol (discussed in published reports such as The VOHO Campaign), a well-known remote access trojan.