howtouselinux

Tcpdump: Filter UDP Packets

Table of Contents

Tcpdump can be used to capture network packets for many protocols like UDP, TCP, ICMP, etc. We are going to review how to filter UDP packets with tcpdump.

UDP Protocol

UDP is a connectionless protocol. This means that there is no three-way handshake carried out before data is transmitted. The sending device literally sends the data out on the wire and hopes it is received by the destination device.

It is often referred to as a best-effort protocol; it doesn’t matter if the data gets there or not. The UDP protocol is often used for streaming media and online gaming.

Check this port to learn more about the difference between TCP and UDP.

Sending UDP packets with Python Code

We don’t need to create a connection before we send data to the other end for UDP. The following example will send ‘hello I am client’ to port 1013 on localhost.

After we run this command, we can see that the packet is sent out successfully.

python -c “import socket ; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.sendto(‘hello I am client’,(‘127.0.0.1’, 1013));

The socket module in Python provides basic networking functionality. The socket module can be used to create sockets, send and receive data, and listen for incoming connections.

The socket module is a C library that Python wraps. This means that when you use the socket module, you are actually using the C library. This can be useful for developers who want to do low-level network programming.

The socket module has two main classes: the Socket class and the ServerSocket class. The Socket class represents a connection to a remote server. The ServerSocket class represents a server that accepts incoming connections.

The Socket class has the following methods:

  • send() – Sends data to a remote server.
  • recv() – Receives data from a remote server.
  • getpeername() – Gets the name of the machine that the socket is connected to.
  • getsockname() – Gets the local address and port of the socket.
  • close() – Closes the socket connection.

 

Capturing UDP packets with Tcpdump

The tcpdump command is a network debugging tool that can be used to capture packets on a network interface. The tcpdump command can be used to troubleshoot network issues by capturing packets and viewing the contents of the packets.

We can use this command to filter this UDP packet with tcpdump.

# tcpdump -i lo0 udp port 1013 -XAvvv

To briefly explain the options we passed to it:

  • -i lo only captures packets on the local loopback i.e. packets sent to localhost
  • udp means that only UDP packets will be captured. Other types of packets we might capture could be tcp or icmp for example.
  • -vvv just gives us more verbose output
  • -X prints out the data in the UDP packets in ASCII as well as hex. If we just wanted the latter we could use the -x option

We can get more details about this packet from the output. The local port is 63128. The remote port is 1013

tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
17:17:55.687703 IP (tos 0x0, ttl 64, id 43620, offset 0, flags [none], proto UDP (17), length 45, bad cksum 0 (->d259)!)
localhost.63128 > localhost.1013: [bad udp cksum 0xfe2c -> 0xb270!] UDP, length 17
0x0000: 4500 002d aa64 0000 4011 0000 7f00 0001 E..-.d..@…….
0x0010: 7f00 0001 f698 03f5 0019 fe2c 6865 6c6c ………..,hell
0x0020: 6f20 4920 616d 2063 6c69 656e 74 o.I.am.client

Capturing UDP packets and other filters with Tcpdump

One of the best features of tcpdump is that we can filter out exactly the traffic we want to see.

  • tcpdump -i interface udp and host 10.1.1.1
  • tcpdump -i interface udp and port 53
  • tcpdump -i interface udp or dst host 10.1.1.1
  • tcpdump -i interface udp or src port 53
  • tcpdump -n ‘dst host 10.10.150.20 and (tcp port 80 or tcp port 443)’

Tcpdump command options summary

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

  • -i : Listen on the specified interface.
  • -n: Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
  • -t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
  • -X: Show the packet’s contents in both hex and ascii.
  • -v, -vv, -vvv: Increase the amount of packet information you get back.
  • -c N: Only get N number of packets and then stop.
  • -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S: Print absolute sequence numbers.
  • -q: Show less protocol information.
  • -w : Write the raw packets to file rather
  • -C file_size(M)
  • -G rotate_seconds

Check this post to learn how to capture TCP packets with Tcpdump

Related:

Linux Troubleshooting Guide:

Linux Learning Guide:

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.