Difference between revisions of "Wireshark/FIX"
(Created page with "{{DISPLAYTITLE:Snoop FIX traffic with Wireshark}} The FIX protocol used extensively in the financial industry. In a former life I was holding a position that brought me in conta...") |
|||
Line 34: | Line 34: | ||
* [http://fixprotocol.org/ FIX protocol website] |
* [http://fixprotocol.org/ FIX protocol website] |
||
* [http://www.wireshark.org/docs/dfref/f/fix.html FIX protocol Wireshark docs] |
* [http://www.wireshark.org/docs/dfref/f/fix.html FIX protocol Wireshark docs] |
||
[[Category: Wireshark]] |
|||
[[Category: Linux]] |
Revision as of 22:10, 25 June 2012
The FIX protocol used extensively in the financial industry. In a former life I was holding a position that brought me in contact with it although I don't know much about it. As a infrastructure guy I was getting requests asking for help with CompID this or that. Unfortunately a CompID does not translate directly to a usable IP address or a TCP port, parameters I operate with.
After getting one too many of these requests I set out to learn enough about the FIX protocol to retrieve the data from a machine we setup as a sniffer monitoring firewall traffic of a mirrored port on a Cisco switch. The machine was a server not running X only CLI tools of wireshark such as tshark were available for use.
Prerequisites
- Machine with wireshark / tshark installed.
- Access to FIX traffic.
Howtos
Find IP address and port by CompID
There are a few CompID tags in wireshark but the easiest is probably to use fix.SenderCompID for traffic source and fix.TargetCompID for traffic destination. In the example below we'll query both types. tshark will display a few IP addresses and ports. It should be easy to determine IP address and port of the external party.
tshark -l -n -i <Interface> -t ad \ -R 'fix.SenderCompID == "<CompID>" or fix.TargetCompID == "<CompID>"'
While the above is a good start if we want to keep that information handy by sticking into a database we need to up the stakes a bit. Luckily tshark has the -T fields switch followed by multiple -e <field> to define the output. The below example will stop after the first match (-c 1) as there is not much to continuously show the same information over and over.
tshark -i <Interface> \ -n \ -c 1 \ -E header=y \ -T fields \ -e fix.SenderCompID \ -e fix.TargetCompID \ -e ip.src \ -e tcp.srcport \ -e ip.dst \ -e tcp.dstport \ -R 'fix.SenderCompID == "<CompID>" or fix.TargetCompID == "<CompID>"' \ 2> /dev/null