Difference between revisions of "Wireshark/FIX"

From braindump
Jump to navigation Jump to search
Line 14: Line 14:
tshark -l -n -i <span class="input"><Interface></span> -t ad \
tshark -l -n -i <span class="input"><Interface></span> -t ad \
-R 'fix.SenderCompID == "<span class="input"><CompID></span>" or fix.TargetCompID == "<span class="input"><CompID></span>"'
-R 'fix.SenderCompID == "<span class="input"><CompID></span>" or fix.TargetCompID == "<span class="input"><CompID></span>"'
While the above is a good start if we want to keep that information handy by sticking into a database we need to up the stakes a bit. Luckily <tt>tshark</tt> has the <tt>-T fields</tt> switch followed by multiple <tt>-e <field></tt> to define the output. The below example will stop after the first match (<tt>-c 1</tt>) as there is not much to continuously show the same information over and over.
While the above is a good start it is better to prettify the result and have both <tt>CompID</tt> and IP address shown in the output. Luckily <tt>tshark</tt> has the <tt>-T fields</tt> switch followed by multiple <tt>-e <field></tt> to define the output. The below example will stop after the first match (<tt>-c 1</tt>) as there is not much to continuously show the same information over and over.


tshark -i <span class="input"><Interface></span> \
tshark -i <span class="input"><Interface></span> \
Line 28: Line 28:
-e tcp.dstport \
-e tcp.dstport \
-R 'fix.SenderCompID == "<span class="input"><CompID></span>" or fix.TargetCompID == "<span class="input"><CompID></span>"' \
-R 'fix.SenderCompID == "<span class="input"><CompID></span>" or fix.TargetCompID == "<span class="input"><CompID></span>"' \
2> /dev/null
2> /dev/null


== Map IP addresses and ports to CompID ==
The above is pretty nifty but only applicable to a particular connection. To continuously match FIX traffic passing through a few modifications to the above example have to be put in place. While nearly identical to the above example two changes have been made. First the <tt>-c</tt> option is gone to indefinitely match FIX traffic. Next the filter under <tt>-R</tt> has been adjusted using <tt>fix.TargetCompID</tt> it will only match only FIX traffic with <tt>CompID</tt>'s
tshark -i <span class="input"><Interface></span> \
-n \
-E header=y \
-T fields \
-e fix.SenderCompID \
-e fix.TargetCompID \
-e ip.src \
-e tcp.srcport \
-e ip.dst \
-e tcp.dstport \
-R '<span class="highlight">fix.TargetCompID</span>' \
2> /dev/null


== References ==
== References ==

Revision as of 22:23, 25 June 2012


The FIX protocol used extensively in the financial industry. In a former life I was holding a position that brought me in contact with it although I don't know much about it. As a infrastructure guy I was getting requests asking for help with CompID this or that. Unfortunately a CompID does not translate directly to a usable IP address or a TCP port, parameters I operate with.

After getting one too many of these requests I set out to learn enough about the FIX protocol to retrieve the data from a machine we setup as a sniffer monitoring firewall traffic of a mirrored port on a Cisco switch. The machine was a server not running X only CLI tools of wireshark such as tshark were available for use.

Prerequisites

  • Machine with wireshark / tshark installed.
  • Access to FIX traffic.

Howtos

Find IP address and port by CompID

There are a few CompID tags in wireshark but the easiest is probably to use fix.SenderCompID for traffic source and fix.TargetCompID for traffic destination. In the example below we'll query both types. tshark will display a few IP addresses and ports. It should be easy to determine IP address and port of the external party.

tshark -l -n -i <Interface> -t ad \
   -R 'fix.SenderCompID == "<CompID>" or fix.TargetCompID == "<CompID>"'

While the above is a good start it is better to prettify the result and have both CompID and IP address shown in the output. Luckily tshark has the -T fields switch followed by multiple -e <field> to define the output. The below example will stop after the first match (-c 1) as there is not much to continuously show the same information over and over.

tshark -i <Interface> \
       -n \
       -c 1 \
       -E header=y \
       -T fields \
       -e fix.SenderCompID \
       -e fix.TargetCompID \
       -e ip.src \
       -e tcp.srcport \
       -e ip.dst \
       -e tcp.dstport \
       -R 'fix.SenderCompID == "<CompID>" or fix.TargetCompID == "<CompID>"' \
       2> /dev/null

Map IP addresses and ports to CompID

The above is pretty nifty but only applicable to a particular connection. To continuously match FIX traffic passing through a few modifications to the above example have to be put in place. While nearly identical to the above example two changes have been made. First the -c option is gone to indefinitely match FIX traffic. Next the filter under -R has been adjusted using fix.TargetCompID it will only match only FIX traffic with CompID's

tshark -i <Interface> \
       -n \
       -E header=y \
       -T fields \
       -e fix.SenderCompID \
       -e fix.TargetCompID \
       -e ip.src \
       -e tcp.srcport \
       -e ip.dst \
       -e tcp.dstport \
       -R 'fix.TargetCompID' \
       2> /dev/null

References