Tcpdump: Filter UDP Packets

Updated: Sep 3

Tcpdump can be used to capture network packets for many protocols like UDP, TCP, ICMP, etc. We are going to review how to filter UDP packets with tcpdump.


UDP Protocol

UDP is a connectionless protocol. This means that there is no three-way handshake carried out before data is transmitted. The sending device literally sends the data out on the wire and hopes it is received by the destination device. It is often referred to as a best-effort protocol; it doesn't matter if the data gets there or not.

Check this port to learn more about the difference between TCP and UDP.



Sending UDP packets with Python Code

We don't need to create a connection before we send data to the other end for UDP. The following example will send 'hello I am client' to port 1013 on localhost. After we run this command, we can see that the packet is sent out successfully.


python -c "import socket ; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.sendto('hello I am client',('127.0.0.1', 1013)); 


Capturing UDP packets with Tcpdump

We can use this command to filter this UDP packet with tcpdump.

# tcpdump -i lo0 udp port 1013 -XAvvv

To briefly explain the options we passed to it:

  • -i lo only captures packets on the local loopback i.e. packets sent to localhost

  • udp means that only UDP packets will be captured. Other types of packets we might capture could be tcp or icmp for example.

  • -vvv just gives us more verbose output

  • -X prints out the data in the UDP packets in ASCII as well as hex. If we just wanted the latter we could use the -x option



We can get more details about this packet from the output. The local port is 63128. The remote port is 1013.

tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
17:17:55.687703 IP (tos 0x0, ttl 64, id 43620, offset 0, flags [none], proto UDP (17), length 45, bad cksum 0 (->d259)!)
    localhost.63128 > localhost.1013: [bad udp cksum 0xfe2c -> 0xb270!] UDP, length 17
 0x0000:  4500 002d aa64 0000 4011 0000 7f00 0001  E..-.d..@.......
 0x0010:  7f00 0001 f698 03f5 0019 fe2c 6865 6c6c  ...........,hell
 0x0020:  6f20 4920 616d 2063 6c69 656e 74         o.I.am.client


Capturing UDP packets and other filters with Tcpdump

One of the best features of tcpdump is that we can filter out exactly the traffic we want to see.

  • tcpdump -i interface udp and host 10.1.1.1

  • tcpdump -i interface udp and port 53

  • tcpdump -i interface udp or dst host 10.1.1.1

  • tcpdump -i interface udp or src port 53

  • tcpdump -n 'dst host 10.10.150.20 and (tcp port 80 or tcp port 443)'


Tcpdump command options summary

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.



  • -i <interface>: Listen on the specified interface.

  • -n: Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.

  • -t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.

  • -X: Show the packet’s contents in both hex and ascii.

  • -v, -vv, -vvv: Increase the amount of packet information you get back.

  • -c N: Only get N number of packets and then stop.

  • -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

  • -S: Print absolute sequence numbers.

  • -q: Show less protocol information.

  • -w <file name>: Write the raw packets to file rather

  • -C file_size(M)

  • -G rotate_seconds




Related:

Linux Troubleshooting Guide:

Linux Learning Guide:


2,051 views
屏幕快照 2021-08-08 下午5.16.32.png