This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Read LZO compressed payload in pcap file

0

I am using Wireshark 1.10.6 to analyse my pcap file. pcap is human readable once loaded in wireshark but the "payload" is not. It has been compressed using LZO algorithm and I intent to use a utility that could decompress the LZO payload and change it to human readable format. Currently it is in hexa format, as shown in the picture belowalt text

The data is from NSE Exchange. Steps for decompression have been given on https://www.nseindia.com/content/press/Realtime_CM_L1.pdf page#29

What would be the best way to make the whole pcap file human readable, I am sure this is a pretty common procedure used by many hft firms to track their orders

Update 1: I dumped the log as C arrays file, which looks something like below, and my aim is to make it readable.

alt text

asked 21 Jan '17, 01:03

hftguy's gravatar image

hftguy
6113
accept rate: 0%

edited 23 Jan '17, 03:38


One Answer:

0

What you need is a dissector for the payload, these a a fundamental aspect of Wireshark, that's how the rest of the data in the packet (Ethernet/IP/TCP) can be displayed in "human readable format".

See the wiki page on Development, then decide how you will create your dissector. You can use C (all the "built-in" dissectors use C), Lua or for simpler protocols WSGD.

If you're able to program in C, then using that will produce the highest performing dissector (load and filter times will be faster), else start with Lua.

answered 21 Jan '17, 05:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%