Rakin's Archive

05_Layer4_UDP_and_Ports

8 min read

Section 5: Layer 4 - UDP and Port Numbers

5.1 UDP Overview

UDP (User Datagram Protocol) is a connectionless, lightweight transport protocol.

UDP Key Characteristics

  • Connectionless - No handshake required before sending data
  • Unreliable - No guarantee of delivery, order, or integrity
  • No flow control - Sender can transmit at any rate
  • Low overhead - Only 8-byte header (vs TCP’s 20-60 bytes)
  • Fast - No connection setup delay
  • Stateless - No connection state to maintain
  • Supports broadcast - Can send to multiple recipients

Best For

Real-time applications where speed > reliability: DNS, VoIP (RTP), video streaming, gaming, DHCP

UDP vs TCP Comparison

FeatureUDPTCP
ConnectionConnectionlessConnection-oriented
ReliabilityUnreliableReliable (ACKs)
OrderingNo orderingOrdered delivery
Header Size8 bytes20-60 bytes
SpeedFasterSlower (overhead)
Flow ControlNoneYes (window)
Congestion ControlNoneYes
Error RecoveryNone (app handles)Automatic retransmit
Broadcast/MulticastSupportedNot supported

Use Cases:

  • UDP: DNS, DHCP, SNMP, RTP/VoIP, TFTP, Gaming, Streaming
  • TCP: HTTP, HTTPS, FTP, SSH, SMTP, Telnet, SIP (signaling)

5.2 UDP Header Structure

UDP HEADER FORMAT (8 bytes fixed)

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |  Bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  0-3
|            Length             |           Checksum            |  Bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  4-7
|                                                               |
|                          Data (Payload)                       |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Total Header Size: 8 bytes (64 bits) - Fixed, no options

UDP Header Fields Explained

FieldSizeDescription
Source Port16 bitsSender’s port number (0-65535). Optional (can be 0 if no reply needed). Used for reply traffic.
Destination Port16 bitsReceiver’s port number. Identifies the application/service.
Length16 bitsTotal datagram length (header + data). Minimum: 8 bytes (header only). Maximum: 65,535 bytes. Practical max limited by IP (65,507).
Checksum16 bitsError detection. Optional in IPv4, mandatory in IPv6. Covers header, data, and pseudo-header. 0x0000 means checksum not computed.

5.3 UDP Checksum Calculation

The UDP checksum is calculated over a pseudo-header + UDP header + data:

IPv4 Pseudo-Header:

+-------+-------+-------+-------+-------+-------+-------+-------+
|             Source IP Address (32 bits)                       |
+-------+-------+-------+-------+-------+-------+-------+-------+
|          Destination IP Address (32 bits)                     |
+-------+-------+-------+-------+-------+-------+-------+-------+
|  Zero | Proto |          UDP Length                           |
| (8b)  | (17)  |            (16 bits)                          |
+-------+-------+-------+-------+-------+-------+-------+-------+

Why pseudo-header?

  • Verifies datagram reached correct destination
  • Detects misrouted packets
  • Protocol field ensures it’s interpreted as UDP

Checksum Values

  • 0x0000 means “not computed” (IPv4 only)
  • 0xFFFF after calculation means “valid zero checksum”

5.4 UDP Communication Model

UDP COMMUNICATION - No Handshake

     CLIENT                                              SERVER
       |                                                    |
       |              UDP Datagram 1                        |
       |    ------------------------------------------>     |
       |    Src Port: 54321, Dst Port: 53                   |
       |    "DNS Query: A record for example.com"           |
       |                                                    |
       |              UDP Datagram 2 (Response)             |
       |    <------------------------------------------     |
       |    Src Port: 53, Dst Port: 54321                   |
       |    "DNS Response: 93.184.216.34"                   |
       |                                                    |
       |                                                    |
       |  No connection setup, no teardown, no ACKs         |
       |  Each datagram is independent                      |
       |                                                    |

Contrast with TCP:
TCP: SYN -> SYN-ACK -> ACK -> Data -> ACK -> FIN -> ACK -> FIN -> ACK
UDP: Data -> Data (done!)

What Happens if UDP Packet is Lost?

Scenario 1: Request Lost

  • Client sends DNS query… lost in transit
  • Server never receives it, never responds
  • Client times out, may retry (application-level decision)

Scenario 2: Response Lost

  • Server sends DNS response… lost in transit
  • Client never receives it
  • Client times out, may retry (sends new query)

Key Point

UDP itself does NOT handle retransmission. The application layer must implement reliability if needed.

Examples of application-level reliability:

  • DNS: Retry with timeout, try alternate server
  • TFTP: Block acknowledgments, retransmit on timeout
  • RTP: Sequence numbers for loss detection, FEC for recovery

5.5 Port Numbers Overview

RangeNameAssignment
0 - 1023Well-Known Ports (System Ports)IANA assigned, requires root/admin
1024 - 49151Registered Ports (User Ports)IANA registered, available to users
49152 - 65535Dynamic/Private (Ephemeral Ports)Ephemeral (temporary), client source ports
  • Total possible ports: 65,536 (0-65535) per protocol (TCP and UDP)
  • A socket is uniquely identified by: Protocol + IP + Port

5.6 Well-Known Ports (0-1023)

PortProtocolServiceDescription
20TCPFTP-DataFTP data transfer
21TCPFTPFTP control/commands
22TCPSSHSecure Shell, SFTP, SCP
23TCPTelnetUnencrypted remote access
25TCPSMTPSimple Mail Transfer Protocol
53TCP/UDPDNSDomain Name System
67UDPDHCP ServerDynamic Host Configuration
68UDPDHCP ClientDHCP client responses
69UDPTFTPTrivial File Transfer Protocol
80TCPHTTPHypertext Transfer Protocol
110TCPPOP3Post Office Protocol v3
119TCPNNTPNetwork News Transfer Protocol
123UDPNTPNetwork Time Protocol
137UDPNetBIOS-NSNetBIOS Name Service
138UDPNetBIOS-DGMNetBIOS Datagram Service
139TCPNetBIOS-SSNNetBIOS Session Service
143TCPIMAPInternet Message Access Protocol
161UDPSNMPSimple Network Management Protocol
162UDPSNMP-TrapSNMP Trap messages
389TCP/UDPLDAPLightweight Directory Access Protocol
443TCPHTTPSHTTP over TLS/SSL
445TCPSMBServer Message Block (file sharing)
465TCPSMTPSSMTP over SSL (deprecated)
514UDPSyslogSystem logging
587TCPSubmissionEmail submission (SMTP with auth)
636TCPLDAPSLDAP over SSL
993TCPIMAPSIMAP over SSL
995TCPPOP3SPOP3 over SSL

5.7 Registered Ports (1024-49151)

PortProtocolServiceDescription
1080TCPSOCKSSOCKS proxy protocol
1194UDPOpenVPNOpenVPN default port
1433TCPMSSQLMicrosoft SQL Server
1434UDPMSSQL-MonMS SQL Server Monitor
1521TCPOracleOracle database
1701UDPL2TPLayer 2 Tunneling Protocol
1723TCPPPTPPoint-to-Point Tunneling Protocol
1883TCPMQTTMessage Queue Telemetry Transport
2049TCP/UDPNFSNetwork File System
3306TCPMySQLMySQL database
3389TCPRDPRemote Desktop Protocol
3478UDPSTUNSession Traversal for NAT
5060TCP/UDPSIPSession Initiation Protocol
5061TCPSIPSSIP over TLS
5432TCPPostgreSQLPostgreSQL database
5900TCPVNCVirtual Network Computing
5938TCPTeamViewerTeamViewer remote access
6379TCPRedisRedis database
8080TCPHTTP-AltHTTP alternate (proxy/cache)
8443TCPHTTPS-AltHTTPS alternate
9000TCPVariousPHP-FPM, SonarQube, etc.
27017TCPMongoDBMongoDB database

VoIP/Media Ports:

PortProtocolServiceDescription
5060UDP/TCPSIPVoIP signaling
5061TCPSIPSSecure SIP (TLS)
10000-20000UDPRTPReal-time Transport Protocol (voice/video media streams)

5.8 Dynamic/Ephemeral Ports (49152-65535)

Used for: Client-side source ports for outgoing connections

How it works:

Client (192.168.1.100)                    Server (93.184.216.34)

Application requests connection to web server
OS assigns ephemeral port: 52431

Src: 192.168.1.100:52431  ------>  Dst: 93.184.216.34:443
Dst: 192.168.1.100:52431  <------  Src: 93.184.216.34:443

Default Ranges by OS

Operating SystemEphemeral Port Range
IANA Recommendation49152 - 65535
Linux (default)32768 - 60999
Windows (Vista+)49152 - 65535
Windows (XP/2003)1025 - 5000
FreeBSD49152 - 65535
macOS49152 - 65535

Linux commands:

# Check current range
cat /proc/sys/net/ipv4/ip_local_port_range
 
# Modify range
sysctl -w net.ipv4.ip_local_port_range="32768 65535"

5.9 Socket Identification

A socket (endpoint) is uniquely identified by a 5-tuple:

  1. Protocol (TCP or UDP)
  2. Source IP (e.g., 192.168.1.100)
  3. Source Port (e.g., 52431)
  4. Dest IP (e.g., 93.184.216.34)
  5. Dest Port (e.g., 443)

Example - Multiple connections to same server:

Connection 1: TCP | 192.168.1.100:52431 | 93.184.216.34:443
Connection 2: TCP | 192.168.1.100:52432 | 93.184.216.34:443
Connection 3: TCP | 192.168.1.100:52433 | 93.184.216.34:443

All three connect to same server:port but have unique source ports.

Same port, different protocols

TCP port 53 (DNS over TCP) != UDP port 53 (DNS over UDP). These are SEPARATE sockets.

5.10 UDP in Practice - DNS Example

Wireshark Capture of DNS Query

Frame 1: 74 bytes on wire

LayerDetails
Ethernet IISrc: aa:bb:cc:dd:ee:ff, Dst: 11:22:33:44:55:66
IPv4Src: 192.168.1.100, Dst: 192.168.1.2 (DNS server), Protocol: UDP (17)
UDPSrc Port: 54321, Dst Port: 53, Length: 40, Checksum: 0x1a2b [correct]
DNS (query)Transaction ID: 0x4e2a, Flags: 0x0100 (Standard query), Questions: 1, Queries: example.com (Type A, Class IN)

UDP Header Breakdown (8 bytes):

BytesFieldValue
0-1Source Port54321 (0xD431)
2-3Dest Port53 (0x0035)
4-5Length40 (0x0028) - header + DNS query
6-7Checksum0x1A2B

5.11 Common UDP Protocol Patterns

Pattern 1: Query-Response (DNS, SNMP)

Client sends query, server responds. Simple, one round-trip.

Client --[Query]-->  Server
Client <--[Response]--  Server

Pattern 2: Streaming (RTP, Video)

Continuous one-way or bidirectional flow. Lost packets acceptable.

Sender --[Packet 1]--> Receiver
Sender --[Packet 2]--> Receiver
Sender --[Packet 3]--> Receiver  (continuous stream)

Pattern 3: Broadcast/Multicast (DHCP, mDNS)

One sender, multiple receivers. Efficient for discovery.

Sender --[Broadcast]--> All hosts on subnet

Pattern 4: Reliable UDP (QUIC, TFTP)

Application implements reliability on top of UDP.

Client --[Block 1]--> Server
Client <--[ACK 1]-- Server
Client --[Block 2]--> Server
Client <--[ACK 2]-- Server

5.12 Wireshark Display Filters for UDP

Basic UDP Filters

FilterDescription
udpAll UDP traffic
udp.port == 53DNS traffic (port 53)
udp.srcport == 67DHCP server responses
udp.dstport == 5060SIP signaling
udp.length > 100UDP datagrams larger than 100 bytes
udp.length < 50Small UDP datagrams

Checksum Filters

FilterDescription
udp.checksum == 0x0000No checksum computed
udp.checksum_bad == 1Bad/incorrect checksum

Combine with IP

FilterDescription
ip.addr == 192.168.1.2 && udp.port == 53DNS traffic to/from DNS server
udp && ip.dst == 255.255.255.255UDP broadcast traffic

Protocol-Specific

FilterDescription
dnsAll DNS (auto-detects UDP/TCP)
dhcpAll DHCP traffic
sipSIP signaling
rtpRTP media streams
snmpSNMP traffic
ntpNTP time sync
tftpTFTP file transfers

VoIP Capture Filters

FilterDescription
udp.port == 5060SIP signaling (192.168.1.138)
udp.port >= 10000 && udp.port <= 10003RTP media streams
rtp && ip.addr == 192.168.1.130RTP to/from extension 4321

5.13 Capture Filters for UDP

Capture filters are applied DURING capture to reduce file size. They use Berkeley Packet Filter (BPF) syntax, different from display filters.

Basic UDP Capture Filters

FilterDescription
udpCapture all UDP
udp port 53DNS traffic only
udp port 5060SIP signaling only
udp portrange 10000-20000RTP port range
udp dst port 161SNMP queries
udp src port 67DHCP server responses

Combine with Host

FilterDescription
host 192.168.1.138 and udpAll UDP to/from PBX
src host 192.168.1.1 and udp port 5060SIP from extension 1234

Exclude Traffic

FilterDescription
udp and not port 53UDP except DNS
not broadcast and udpUDP excluding broadcasts

Important

Capture filters cannot be changed during capture! Use broad capture filters and refine with display filters later.

5.14 UDP Troubleshooting

Common UDP Issues

1. PACKET LOSS

  • Symptoms: Missing responses, timeouts, choppy audio/video
  • Diagnosis: Look for gaps in RTP sequence numbers
  • Filter: rtp.seq (check for missing numbers)

2. PORT UNREACHABLE (ICMP)

  • Symptoms: ICMP “Destination Unreachable, Port Unreachable”
  • Cause: No application listening on destination port
  • Filter: icmp.type == 3 && icmp.code == 3

3. FIREWALL BLOCKING

  • Symptoms: Requests sent but no responses received
  • Diagnosis: Compare sent packets vs received
  • Common: UDP stateless, firewall may not track return traffic

4. CHECKSUM ERRORS

  • Symptoms: udp.checksum_bad == 1
  • Note: Modern NICs do checksum offload - Wireshark may show bad checksums for OUTGOING traffic (calculated by NIC later)
  • Fix: Disable checksum verification in Wireshark preferences

5. MTU/FRAGMENTATION

  • Symptoms: Large UDP datagrams fragmented
  • Filter: ip.flags.mf == 1 (More Fragments flag)
  • Best Practice: Keep UDP payloads under 1472 bytes (1500 - headers)

5.15 Chapter Summary

Key Takeaways

UDP CHARACTERISTICS:

  • Connectionless, unreliable, fast transport protocol
  • 8-byte header (minimal overhead)
  • No flow control, no congestion control
  • Supports broadcast and multicast

UDP HEADER:

  • Source Port (16 bits)
  • Destination Port (16 bits)
  • Length (16 bits)
  • Checksum (16 bits) - optional in IPv4, mandatory in IPv6

PORT RANGES:

  • 0-1023: Well-Known (system services, requires admin)
  • 1024-49151: Registered (user applications)
  • 49152-65535: Dynamic/Ephemeral (client source ports)

COMMON UDP SERVICES:

  • DNS (53), DHCP (67/68), NTP (123), SNMP (161)
  • VoIP: SIP (5060), RTP (10000-20000)

WIRESHARK FILTERS:

  • udp.port == X, udp.length, dns, rtp, sip

Previous: 04_Layer4_TCP_Deep_Dive Next: 06_Layer7_DNS

Graph View

Backlinks