I am currently working on a network & security training, module “OSI Layer 4 – Transport”. Therefore I made a very basic demo of a TCP and UDP connection in order to see the common “SYN, SYN-ACK, ACK” for TCP while none of them for UDP, “Follow TCP/UDP Stream” in Wireshark, and so on. I wanted to show that it’s not that complicated at all. Every common application/service simply uses these data streams to transfer data aka bytes between a client and a server.
That is: Here are the Linux commands for basic lab, a downloadable pcap, and, as always, some Wireshark screenshots:
TCP
Listening with netcat on the server on port 1337:
1 |
netcat -6 -l 1337 |
Verifying the listening port:
1 |
netstat -tulpen6 |
In my case, this looks like:
1 2 3 4 5 6 7 8 9 10 11 |
weberjoh@nb15-lx:~$ netstat -tulpen6 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp6 0 0 :::22 :::* LISTEN 0 21160 - tcp6 0 0 :::1337 :::* LISTEN 1000 1490116 20122/netcat udp6 0 0 fe80::d6be:d9ff:fe4:123 :::* 0 22715 - udp6 0 0 2001:470:765b::b15::123 :::* 0 22713 - udp6 0 0 ::1:123 :::* 0 22711 - udp6 0 0 :::123 :::* 0 22699 - |
Now connecting from the client to the server with telnet:
1 |
telnet <ip> <port> |
In my case, along with some text messages in both directions:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
weberjoh@vm24-ns0:~$ telnet 2001:470:765b::b15:22 1337 Trying 2001:470:765b::b15:22... Connected to 2001:470:765b::b15:22. Escape character is '^]'. Hello Hi there Greetings from the client to the server! Thanks. Greetings back from the server to the client. Cheers Goodbye ^] telnet> quit Connection closed. |
Wireshark reveals the TCP flags in the Info column for connection establishment and termination. Have a look at the ACKs directly after each sent message, regardless of which direction. Finally, a “Follow TCP Stream” shows the raw data, coloured by the way they were transmitted:
UDP
Basically the same with UDP. Listening on the server on port 2311:
1 |
netcat -6 -l -u 2311 |
Proto type “udp6” is shown with netstat:
1 2 3 4 5 6 7 8 9 10 11 |
weberjoh@nb15-lx:~$ netstat -tulpen6 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp6 0 0 :::22 :::* LISTEN 0 21160 - udp6 0 0 fe80::d6be:d9ff:fe4:123 :::* 0 22715 - udp6 0 0 2001:470:765b::b15::123 :::* 0 22713 - udp6 0 0 ::1:123 :::* 0 22711 - udp6 0 0 :::123 :::* 0 22699 - udp6 0 0 :::2311 :::* 1000 1490184 20131/netcat |
Connecting from the client, using netcat (and not telnet, which is not capable of UDP):
1 |
netcat -u <ip> <port> |
Now my demo, again with some text messages and umlauts:
1 2 3 4 5 6 7 8 9 10 |
weberjoh@vm24-ns0:~$ netcat -u 2001:470:765b::b15:22 2311 Hi over UDP Guten Tag auch Oh, you speak German Kann ich auch Sehr schön. Sogar mit Umlauten. ;) Yup. Ciao. Tschö ^C |
Wireshark’s glasses. No connection establishment nor termination. No ACKs. Only the raw data in both directions. One single UDP packet per sent text message. Quite easy. “Follow UDP Stream” works as well:
pcap
Have a look at the corresponding pcap, if you like. 7zipped, 1 KB:
Featured image “Slices of rye bread with butter on a wooden board” by Marco Verch Professional Photographer and Speaker is licensed under CC BY 2.0.
It’s correct that UDP is usually one packet per information, but if the information is too large to fit into a single packet it will be fragmented at the IP layer. In that case its more than one packet per information.
Or… your application might find out and switch to tcp (like DNS does). Beware of stability and availability issues.