This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

FIX protocol capturing

0

Hello,

Is it possible to capture in tshark the dump which:

  • contains FIX protocol packets only
  • capturing without decoding

If yes, which capture-filter needs to be applied?

Thanks in advance!

asked 13 Feb '14, 05:51

mrav's gravatar image

mrav
16448
accept rate: 0%

edited 13 Feb '14, 06:10

One Answer:

1

Every FIX message starts with the string '8=FIX', followed by a version number. So, you need to filter for that string.

This can be done with a simple capture filter, like the following:

tcpdump -ni eth0 'host 1.2.3.4 and tcp[20:4]=0x383D4649 and tcp[24:1]=0x58' -w fix.pcap
dumpcap -ni eth0 'host 1.2.3.4 and tcp[20:4]=0x383D4649 and tcp[24:1]=0x58' -w fix.pcap

HOWEVER: That will only work, if there are not TCP options. If there are options, you must adjust the offest [20:4], according to the bytes consumed by the TCP header options. And if some implementation does not adhere fully to the standard, and uses lower case letters (8=fix), the capture filter won't work, as it only matches upper case letters.

As that's kind of odd, there is a better/simpler way.

ngrep:

ngrep -d eth0 -i '8=FIX' 'host 1.2.3.4 and tcp' -O fix.pcap

Ngrep will search for the string '8=FIX' (-i is ignore case) in any tcp frame from/to 1.2.3.4 (replace that with the IP address in your environment). Every matching frame will be written to fix.pcap.

Regards
Kurt

answered 13 Feb '14, 12:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Feb '14, 02:21