SBN

Network Traffic Analysis for IR: UDP with Wireshark

Introduction to UDP

The User Datagram Protocol (UDP) is one of the two main protocols that sits between the Internet Protocol (IP) layer and higher-level, specialized protocols like the hypertext transfer protocol (HTTP) and domain name system (DNS).

The other such protocol, Transport Control Protocol (TCP), is designed to provide reliable connections with built-in error handling. It is designed for applications that need to be certain that data reaches its destination intact and do not prioritize traffic latency.

UDP, on the other hand, is intended for applications that prioritize latency over reliability. It is a “fire and forget” protocol, which does not retain state. After a UDP packet is sent, there is no acknowledgement of receipt from the destination and lost packets are not transmitted. As a result, UDP is commonly used in applications where all the data can be contained within a single packet and either packet loss is not a major problem (like in DNS) or high-speed transmissions are necessary (like gaming).

UDP in Wireshark

An extremely common use of the UDP protocol is for DNS traffic. DNS requests and responses are relatively small, and, if something goes wrong and a packet is dropped, it is easy to make another request. As a result, DNS often does not require the reliability guarantees that TCP provides, and the overhead of the TCP handshake is superfluous.

The screenshot above shows the details of a standard UDP packet header. As shown, UDP uses the same port model as TCP, and applications that use both TCP and UDP will often use the same ports in each. The UDP packet header also includes a length value and a checksum for verifying the accuracy of the data that it contains.

UDP analysis for incident response

UDP is primarily intended for carrying other types of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/qcnFLVEqnEY/