There appears to be a problem with the SOCKS V5 decode.
It appears to identify SOCKS traffic by TCP dest 1080, then a version 5 packet by the first byte of the SOCKS packet.
However, for any SOCKS headers that begin with 0x0501 it interprets them as a client authentication method response of 1 method (null auth). It improperly decodes V5 connect requests this way (snoop doesn't).
There should be a test for a third V5 byte of 00, this would indicate that the header is a V5 request, or reply, instead of an authentication negotiation header.
If the second byte is 01 and there is a third byte (00) then the packet is either a Connect request or a reply of General Server Failure. The fourth byte would be the address type followed by the address and port.
I am not a programmer so I would appreciate any contributions to fix this. I have a nice animated powerpoint of the SOCKS protocol for any volunteers.