Tcpdump: Filter UDP Packets

tcpdump is a powerful command-line network packet analyzer used for network troubleshooting and analysis.

To capture UDP packets using tcpdump, you can use specific filtering options to narrow down the traffic you want to capture.

Table of Contents

UDP Protocol

UDP is a connectionless protocol. This means that there is no three-way handshake carried out before data is transmitted. The sending device literally sends the data out on the wire and hopes it is received by the destination device.

It is often referred to as a best-effort protocol; it doesn’t matter if the data gets there or not. The UDP protocol is often used for streaming media and online gaming.

Get Your Free Linux training!

Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!

Check this port to learn more about the difference between TCP and UDP.

Sending UDP packets with Python Code

We don’t need to create a connection before we send data to the other end for UDP. The following example will send ‘hello I am client’ to port 1013 on localhost.

After we run this command, we can see that the packet is sent out successfully.

python -c "import socket ; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.sendto('hello I am client',('127.0.0.1', 1013));

The socket module in Python provides basic networking functionality. The socket module can be used to create sockets, send and receive data, and listen for incoming connections.

The socket module is a C library that Python wraps. This means that when you use the socket module, you are actually using the C library. This can be useful for developers who want to do low-level network programming.

The socket module has two main classes: the Socket class and the ServerSocket class. The Socket class represents a connection to a remote server. The ServerSocket class represents a server that accepts incoming connections.

The Socket class has the following methods:

send() – Sends data to a remote server.
recv() – Receives data from a remote server.
getpeername() – Gets the name of the machine that the socket is connected to.
getsockname() – Gets the local address and port of the socket.
close() – Closes the socket connection.

Capturing UDP packets with Tcpdump

The tcpdump command is a network debugging tool that can be used to capture packets on a network interface.

The tcpdump command can be used to troubleshoot network issues by capturing packets and viewing the contents of the packets.

We can use this command to filter this UDP packet with tcpdump.

# tcpdump -i lo0 udp port 1013 -XAvvv

To briefly explain the options we passed to it:

-i lo only captures packets on the local loopback i.e. packets sent to localhost
udp means that only UDP packets will be captured. Other types of packets we might capture could be tcp or icmp for example.
-vvv just gives us more verbose output
-X prints out the data in the UDP packets in ASCII as well as hex. If we just wanted the latter we could use the -x option

We can get more details about this packet from the output. The local port is 63128. The remote port is 1013

tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes 17:17:55.687703 IP (tos 0x0, ttl 64, id 43620, offset 0, flags [none], proto UDP (17), length 45, bad cksum 0 (->d259)!) localhost.63128 > localhost.1013: [bad udp cksum 0xfe2c -> 0xb270!] UDP, length 17 0x0000: 4500 002d aa64 0000 4011 0000 7f00 0001 E..-.d..@....... 0x0010: 7f00 0001 f698 03f5 0019 fe2c 6865 6c6c ...........,hell 0x0020: 6f20 4920 616d 2063 6c69 656e 74 o.I.am.client

Here are the most common ways to use tcpdump to capture UDP packets:

Capture all UDP traffic

To capture all UDP packets, you can use the following command:

sudo tcpdump udp

This will capture all UDP packets on all interfaces and display them in the terminal. You might need sudo privileges to capture packets on network interfaces.

Capture UDP traffic on a specific interface

To capture UDP packets on a specific network interface (e.g., eth0), use the -i option followed by the interface name:

sudo tcpdump -i eth0 udp

Replace eth0 with the name of your network interface (e.g., wlan0 for Wi-Fi or ens33 for a virtual machine interface).

Capture UDP traffic on a specific port

If you want to capture UDP traffic on a specific port, use the following syntax:

sudo tcpdump udp port <port_number>

For example, to capture UDP traffic on port 53 (which is commonly used for DNS), you would run:

sudo tcpdump udp port 53

Capture UDP packets from a specific source or destination IP address

You can also filter UDP packets by source or destination IP address. For example, to capture UDP traffic to or from a specific IP (e.g., 192.168.1.100):

sudo tcpdump udp and host 192.168.1.100

This will capture all UDP traffic from or to the IP address 192.168.1.100.

If you want to filter by just source or destination IP, you can use src or dst:

Capture UDP packets from 192.168.1.100:

sudo tcpdump udp and src host 192.168.1.100

Capture UDP packets to 192.168.1.100:

sudo tcpdump udp and dst host 192.168.1.100

Capture UDP packets and display packet contents

To capture and display more detailed information about the UDP packets (including the data payload), you can use the -X or -XX option. These options will display the packet content in both hexadecimal and ASCII format.

sudo tcpdump -i eth0 udp -X

This will display both the raw packet data and the decoded information in ASCII form.

-X: Displays packet contents in both hexadecimal and ASCII.
-XX: Displays raw packet data with even more details (including link-layer headers).

Capture and save UDP packets to a file

To save the captured UDP packets to a file (e.g., udp_traffic.pcap), you can use the -w option:

sudo tcpdump -i eth0 udp -w udp_traffic.pcap

This will write the UDP packets to a file named udp_traffic.pcap, which can later be analyzed with tools like Wireshark.

Limit the number of captured packets

To limit the number of packets captured, use the -c option followed by the number of packets you want to capture. For example, to capture only 10 UDP packets:

sudo tcpdump -i eth0 udp -c 10

Capture UDP packets with specific length

You can filter by the size of the UDP packets using the len keyword. For example, to capture UDP packets with a length greater than 100 bytes:

sudo tcpdump udp and 'len > 100'

Example Use Cases

Capture all UDP traffic on interface eth0:
```
sudo tcpdump -i eth0 udp
```
Capture UDP traffic on port 53 (DNS) on all interfaces:
```
sudo tcpdump udp port 53
```
Capture UDP traffic from a specific source IP (e.g., 192.168.1.100):
```
sudo tcpdump udp and src host 192.168.1.100
```
Capture UDP traffic with detailed packet content:
```
sudo tcpdump -i eth0 udp -X
```

Save UDP packets to a file for later analysis:

sudo tcpdump -i eth0 udp -w udp_traffic.pcap

Capture a maximum of 50 UDP packets on the interface eth0:
```
sudo tcpdump -i eth0 udp -c 50
```

Summary of Useful tcpdump Flags for UDP

udp: Capture all UDP traffic.
-i <interface>: Specify the network interface to listen on.
port <port_number>: Filter by a specific UDP port.
host <ip_address>: Capture traffic from/to a specific IP.
src/dst host <ip_address>: Capture UDP packets from/to a specific source/destination IP.
-X: Show detailed packet content in hexadecimal and ASCII.
-w <file_name>: Write captured packets to a file.
-c <count>: Limit the number of packets captured.

By using these commands and filters, you can effectively capture and analyze UDP traffic using tcpdump.

Capturing UDP packets and other filters with Tcpdump

One of the best features of tcpdump is that we can filter out exactly the traffic we want to see.

tcpdump -i interface udp and host 10.1.1.1
tcpdump -i interface udp and port 53
tcpdump -i interface udp or dst host 10.1.1.1
tcpdump -i interface udp or src port 53
tcpdump -n 'dst host 10.10.150.20 and (tcp port 80 or tcp port 443)'

Tcpdump command options summary

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

Option	Description
-i	Listen on the specified interface.
-n	Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
-t	Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
-X	Show the packet’s contents in both hex and ascii.
-v, -vv, -vvv	enables verbose logging/details (which among other things will give us a running total on how many packets are captured
-c N	Only get N number of packets and then stop.
-s	Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S	Print absolute sequence numbers.
-q	Show less protocol information.
-w	Write the raw packets to file
-C file_size(M)	tells tcpdump to store up to x MB of packet data per file.
-G rotate_seconds	Create a new file every time the specified number of seconds has elapsed.

Check this post to learn how to capture TCP packets with Tcpdump

Linux Troubleshooting Guide:

Linux Learning Guide:

Mary M

Tuesday 6th of August 2024

I appreciate the clarity in which the different filter expressions are presented, allowing even those with less experience to understand the nuances of capturing UDP traffic. The examples provided are a great starting point for customizing tcpdump to suit specific network analysis needs.

One aspect that I found especially useful was the discussion on how to isolate traffic to a particular port or host, which is crucial for troubleshooting and optimizing network performance. The step-by-step guidance on constructing complex filters is a testament to the article's commitment to empowering readers with the necessary skills to handle real-world scenarios.

For those looking to expand their network diagnostic toolkit, I would also recommend exploring other packet analysis tools that complement tcpdump, such as Wireshark, to provide a more comprehensive view of network traffic.