MoldUDP is a Nasdaq protocol used to transport trade-related information in a UDP feed. It is fairly simple in nature and can the specification can be read here (or by googling "moldudp" if that link stops working).
Most financial institutions utilise this protocol in one or more systems, and when an interruption to a feed occurred that I was asked to analyse, I learned that my favourite tool, Wireshark, didn't have a built-in dissector for MoldUDP: so I decided to kill 2 birds with one stone. It's far from ideal, and as such I treat it as incomplete, but with a little poking it can still be a useful tool in it's current format.
A dissector is a plugin for Wireshark which allows custom decoding of network protocols when inspecting packet captures, for example when analysing network traffic following a user complaint about the integrity of a data-stream. The dissector code (which comes with NO WARRANTY) is written in C, and has been tested on Windows XP running in VirtualBox 3.1.4 under Mac OS X (Snow Leopard 10.6.2). As such, I have compiled it to a DLL (which comes with NO WARRANTY) which may or may not work for you. The specific Wireshark version I have tested it on is 1.2.6 (SVN Rev 31702), and believe it works on others.
This is FREE SOFTWARE (as in beer and speech) and can be freely used, modified, extended by anyone, anywhere for whatever purpose. It's probably only of use to Network Engineers and Market Data Support staff in financial institutions, but those people are welcome to use it to enhance Wireshark. If you do wish to modify or extend this dissector, I ask that you let me know. If anyone is seriously interested in adding this to a public repository, I just ask that you let me know and I'll set one up (or link to yours).
Right now, it correctly interprets the protocol header of Downstream Packets. Not the payload, mind. The header information gathered consists of:
The information currently provided by this dissector is a little light, and that's going to be dealt with in the future (feel free to contribute by contacting me with patches/suggestions/help), however that doesn't mean it's of no use.
From the perspective of a Network Engineer, it provides everything we need to validate fault reports regarding a MoldUDP stream. "We missed messages 139468-139472, was it our infrastructure or the vendor feed?" is typical (sequence numbers varied, of course), and this dissector provides a stepping stone - you'll need to do some legwork in terms of capturing packets close to the ingress into your network to be able to blame the vendor for not delivering the message with any certainty!
Once you've built/dropped the dissector module into the plugins directory of your Wireshark install, fire up Wireshark with a PCAP containing MoldUDP traffic. Depending on your version, the exact instruction varies but you want to select a known MoldUDP packet, and either right click or from the 'Analyze' menu select 'Decode As'. On the 'Transport' tab, select MoldUDP from the list on the right. Hit OK, and now you should see the MoldUDP header information output in the frame description (middle) pane.
Click on one of the header fields in the frame description pane and check the status bar at the bottom. You should see the Display Filter tag for that field:
I wrote most of the dissector without actually compiling it, working through the Wireshark developer documentation. Once I got the basic functionality sorted I worked on getting it compiled (installing and preparing all of the necessary tools and sources took me a couple of hours alone). It worked (partially) straight off the bat, but then the reality of debugging the dissector hit me and I was caught in cycles of scouring documentation, making minor changes, recompiling, moving the fresh DLL to my default Wireshark plugins directory, re-opening a PCAP and inspecting the results. There are doubtless better ways to do this, but I was so engrossed in what I was doing I didn't really care at the time. You might, and so I suggest you find out for the sake of your sanity.
There is also the argument that it doesn't NEED to be much better. The functionality as it is allows you to easily view message sequence numbers and the next expected sequence number in custom columns, flick through the PCAP (or use a clever display filter) and check what messages are (or are not) there. We shouldn't really care about the actual contents of the messages as the sell price of a particular stock, or the quantity purchased in a trade are not of particular interest to us. If you're using this dissector nefariously, then you're probably going about it all wrong anyway.
I followed the Win32: Step-by-Step Guide from the Wireshark documentation to prepare my build environment. You should do that too, unless you have a working build environment for Wireshark for your Operating System. I chose to build it on Windows because that is the platform I most often use Wireshark on.
I used the m2m dissector directory as the skeleton for moldudp because it seemed more straightforward to modify a pre-existing set of Makefiles than to write my own. This ZIP contains the required resources to build the dissector after following the Step-by-Step Guide to prepare environment variables etc. If you've followed the Step-by-Step Guide above, the ZIP should be extracted into C:\Wireshark\plugins and will build moldudp.dll.
My priority list is to: