Snoop FIX traffic with Wireshark

From braindump
Revision as of 10:52, 17 July 2012 by Uroesch (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The FIX protocol used extensively in the financial industry. In a former life I was holding a position that brought me in contact with it although I don't know much about it. As a infrastructure guy I was getting requests asking for help with CompID this or that. Unfortunately a CompID does not translate directly to a usable IP address or a TCP port, parameters I operate with.

After getting one too many of these requests I set out to learn enough about the FIX protocol to retrieve the data from a machine we setup as a sniffer monitoring firewall traffic of a mirrored port on a Cisco switch. The machine was a server not running X only CLI tools of wireshark such as tshark were available for use.

Prerequisites

  • Machine with wireshark / tshark installed.
  • Access to FIX traffic.

Howtos

Find IP address and port by CompID

There are a few CompID tags in wireshark but the easiest is probably to use fix.SenderCompID for traffic source and fix.TargetCompID for traffic destination. In the example below we'll query both types. tshark will display a few IP addresses and ports. It should be easy to determine IP address and port of the external party. 

tshark -l -n -i <Interface> -t ad \
   -R 'fix.SenderCompID == "<CompID>" or fix.TargetCompID == "<CompID>"'

While the above is a good start it is better to prettify the result and have both CompID and IP address shown in the output. Luckily tshark has the -T fields switch followed by multiple -e <field> to define the output. The below example will stop after the first match (-c 1) as there is not much to continuously show the same information over and over. 

tshark -i <Interface> \
       -n \
       -c 1 \
       -E header=y \
       -T fields \
       -e fix.SenderCompID \
       -e fix.TargetCompID \
       -e ip.src \
       -e tcp.srcport \
       -e ip.dst \
       -e tcp.dstport \
       -R 'fix.SenderCompID == "<CompID>" or fix.TargetCompID == "<CompID>"' \
       2> /dev/null

Map IP addresses and ports to CompID

The above is pretty nifty but only applicable to a particular connection. To continuously match FIX traffic passing through a few modifications to the above example have to be put in place. While nearly identical to the above example two changes have been made. First the -c option is gone to indefinitely match FIX traffic. Next the filter under -R has been adjusted using fix.TargetCompID it will only match only FIX traffic with CompID's 

tshark -i <Interface> \
       -n \
       -E header=y \
       -T fields \
       -e fix.SenderCompID \
       -e fix.TargetCompID \
       -e ip.src \
       -e tcp.srcport \
       -e ip.dst \
       -e tcp.dstport \
       -R 'fix.TargetCompID' \
       2> /dev/null

References

Retrieved from "https://braindump.bun.ch/index.php?title=Wireshark/FIX&oldid=824"