UDP(Networking series 2)
UDP traffic
The User Datagram Protocol, or UDP, is a communication protocol used across the Internet for specifically low-latency, time-sensitive transmissions such as video playback and DNS lookups. It is a connectionless protocol hence, it speeds up communications by not formally establishing a connection before data is transferred. This allows data to be transferred very quickly, but it can also cause packets to become lost in transit — and create opportunities for exploitation in the form of DDoS attacks. Since a lot has been written about UDP traffic, I am going to use sources. Most sources on this page is taken from Cloudflare(https://www.cloudflare.com/learning/ddos/glossary/user-datagram-protocol-udp/)
Example Wireshark for UDP Traffic
As you can see above the DNS protocol is using UDP traffic. Similarly other protocols like RTSP(real-time streaming protocol), also use UDP. Based on protocol implementation, they add their headers on the packets and Flags. Example DNS headers are shown below:
Kernel Tasks
I have added the below diagram just to explain the responsibilities of the Linux kernel with which it has to manage OS. Network management is a component of it. To retrieve certain information, protocols are built like UDP, TCP/IP. Additionally, to manage the data and filtration it is not wise to sniff every part of actual data, rather work on metadata to enable filtration. In the networking layer, protocols push the meta information in IPV4 packets. They are explained further in this document.
UDP Packet headers
Linux Kernel has implementations specific to protocols and they are operated by something called packet headers. These headers are used for many tasks like identifying a unique packet, version, HLEN, Frames, etc… These packets have a length of 32 bits as shown in the below diagram. Let me explain a few of them to make sense and add an example of DNS headers from Wireshark to explain the same. (Reference is taken from https://www.geeksforgeeks.org/introduction-and-ipv4-datagram-header/)
VERSION: Version of the IP protocol (4 bits), which is 4 for IPv4
HLEN: IP header length (4 bits), which is the number of 32 bit words in the header. The minimum value for this field is 5 and the maximum is 15.
Type of service: Low Delay, High Throughput, Reliability (8 bits)
Total Length: Length of header + Data (16 bits), which has a minimum value 20 bytes and the maximum is 65,535 bytes.
Identification: Unique Packet Id for identifying the group of fragments of a single IP datagram (16 bits)
Flags: 3 flags of 1 bit each : reserved bit (must be zero), do not fragment flag, more fragments flag (same order)
Fragment Offset: Represents the number of Data Bytes ahead of the particular fragment in the particular Datagram. Specified in terms of number of 8 bytes, which has the maximum value of 65,528 bytes.
Time to live: Datagram’s lifetime (8 bits), It prevents the datagram to loop through the network by restricting the number of Hops taken by a Packet before delivering to the Destination.
Protocol: Name of the protocol to which the data is to be passed (8 bits)
Header Checksum: 16 bits header checksum for checking errors in the datagram header
Source IP address: 32 bits IP address of the sender
Destination IP address: 32 bits IP address of the receiver
Option: Optional information such as source route, record route. Used by the Network administrator to check whether a path is working or not.
