Ask Your Question

Why is pcap message missing but fix log has it?

asked 2018-03-14 16:26:28 +0000

down vote favorite

I am getting a huge number of FIX messages from several MarketData providers.

I have noticed a latency issue between FIX log time and message send time (Tag 52).

I have run a pcap with RawCap, and am analysising with WireShark.

Although the FIX message has made it to my log file, it is NOT in the pcap. I have searched for the message SeqNum (tag 34) but it cannot be found. However, I can find FIX messages from before and after.

I also see "TCP Previous segment not captured" BUT if I have lost segment, how has FIX message got into log file?

Could someone explain what might be going on?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-03-14 17:21:01 +0000

cmaynard gravatar image

I am getting a huge number of FIX messages

Perhaps your capture mechanism can't keep up with the flow of messages? I've used RawCap in the past to capture packets, mostly for loopback capturing on Windows, but I don't know its capture capabilities as it pertains to performance or what you could possibly do to improve it. Does RawCap provide any information about dropped packets? If not, it might still be dropping them but just not reporting it.

You could try using dumpcap instead, which will report the number of dropped packets. If you see dropped packets with dumpcap, it's likely RawCap was dropping packets too. Dumpcap can be tuned a bit though by increasing the capture buffer size among other things, but perhaps RawCap can be tuned as well. Alternatively, if you can't get the performance you need, you could try capturing using a separate, dedicated, more capable capture machine/device (for example, with a TAP). Have a look at the Performance wiki page for other ideas.

edit flag offensive delete link more


What I don't understand is why would RawCap miss the packet BUT the actual receiving app (QuickFix/.Net) does not...

ManInMoon gravatar imageManInMoon ( 2018-03-14 17:28:44 +0000 )edit

Perhaps the capture buffer is too small?

You might want to inquire with the Netresec folks about RawCap's performance capabilities and limitations and for advice on how to get better performance out of it.

cmaynard gravatar imagecmaynard ( 2018-03-14 18:09:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-03-14 16:26:28 +0000

Seen: 28 times

Last updated: Mar 14