How to list all requests to udp sockets?
UDP is a stateless protocol - so, no states.
To see what's listening for UDP:
netstat -lnpu
The equivalent command on modern linux:
ss -lnpu
You could log every UDP connection using iptables:
iptables -A INPUT -p udp -j LOG --log-prefix "udp connection: "
Perhaps you might want to limit it to some ports. Check documentation here or, preferably, man iptables
.
As others have mentioned UDP is connection-less so state isn't tracked in the standard locations you might look.
One method you could use is simply setup some simple netfilter rules that use the --state
option. This will force netfilter to track state related to UDP. Once you setup rules then you can use a tool like conntrack to look at the netfilter state table. Here for example is what one of my system looks like. You can see there are a couple systems that are frequently communicating to udp/1194 (OpenVPN).
root@enterprise:# conntrack -L -p udp
udp 17 173 src=192.168.32.1 dst=192.168.32.10 sport=41179 dport=1194 packets=2072 bytes=188058 src=192.168.32.10 dst=192.168.32.1 sport=1194 dport=41179 packets=2081 bytes=201185 [ASSURED] mark=0 secmark=0 use=1
udp 17 175 src=192.168.32.26 dst=192.168.32.10 sport=57440 dport=1194 packets=806767 bytes=154637738 src=192.168.32.10 dst=192.168.32.26 sport=1194 dport=57440 packets=1265893 bytes=1588040830 [ASSURED] mark=0 secmark=0 use=1
Your netfilter rules could be as simple as this.
/sbin/iptables -t filter -A INPUT -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A FORWARD -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -m state --state NEW\,ESTABLISHED -j ACCEPT
On Linux, assuming that the iproute2 is installed, you can run the ss command to pull udp sockets like so:
ss -u
Or all udp sockets, with the associated process:
[root@kerberos ks]# ss -u -pa
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:kerberos *:* users:(("krb5kdc",1935,7))
UNCONN 0 0 *:mdns *:* users:(("avahi-daemon",1613,13))
UNCONN 0 0 *:rquotad *:* users:(("rpc.rquotad",1872,3))
UNCONN 0 0 *:kerberos-iv *:* users:(("krb5kdc",1935,6))
UNCONN 0 0 *:sunrpc *:* users:(("rpcbind",1569,6))
UNCONN 0 0 *:ipp *:* users:(("cupsd",1687,9))
UNCONN 0 0 192.168.15.100:ntp *:* users:(("ntpd",1976,23))
UNCONN 0 0 172.16.15.1:ntp *:* users:(("ntpd",1976,22))
UNCONN 0 0 127.0.0.1:ntp *:* users:(("ntpd",1976,21))
UNCONN 0 0 *:ntp *:* users:(("ntpd",1976,16))
UNCONN 0 0 *:892 *:* users:(("rpc.mountd",1888,7))
UNCONN 0 0 *:896 *:* users:(("rpcbind",1569,7))
UNCONN 0 0 *:32769 *:*
UNCONN 0 0 *:nfs *:*
UNCONN 0 0 *:syslog *:* users:(("rsyslogd",1506,1))
UNCONN 0 0 *:42375 *:* users:(("avahi-daemon",1613,14))
UNCONN 0 0 *:pftp *:* users:(("rpc.statd",1643,8))
UNCONN 0 0 *:snmp *:* users:(("snmpd",1949,7))
UNCONN 0 0 *:37802 *:* users:(("squid",2124,9))
UNCONN 0 0 *:bootps *:* users:(("dhcpd",1987,7))
UNCONN 0 0 *:tftp *:* users:(("xinetd",1968,6))
UNCONN 0 0 *:971 *:* users:(("rpc.statd",1643,5))
UNCONN 0 0 *:kpasswd *:* users:(("kadmind",1926,6))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos :::* users:(("krb5kdc",1935,11))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos :::* users:(("krb5kdc",1935,9))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos-iv :::* users:(("krb5kdc",1935,10))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos-iv :::* users:(("krb5kdc",1935,8))
UNCONN 0 0 :::sunrpc :::* users:(("rpcbind",1569,9))
UNCONN 0 0 fe80::fc54:ff:feda:8094:ntp :::* users:(("ntpd",1976,26))
UNCONN 0 0 fe80::fc54:ff:fe52:8f66:ntp :::* users:(("ntpd",1976,30))
UNCONN 0 0 fe80::fc54:ff:feea:63a8:ntp :::* users:(("ntpd",1976,29))
UNCONN 0 0 fe80::fc54:ff:fe16:15c3:ntp :::* users:(("ntpd",1976,28))
UNCONN 0 0 fe80::fc54:ff:fe75:8012:ntp :::* users:(("ntpd",1976,27))
UNCONN 0 0 fe80::fc54:ff:feb3:4da8:ntp :::* users:(("ntpd",1976,25))
UNCONN 0 0 fe80::226:2dff:fe47:309f:ntp :::* users:(("ntpd",1976,20))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:ntp :::* users:(("ntpd",1976,19))
UNCONN 0 0 ::1:ntp :::* users:(("ntpd",1976,18))
UNCONN 0 0 :::ntp :::* users:(("ntpd",1976,17))
UNCONN 0 0 :::892 :::* users:(("rpc.mountd",1888,9))
UNCONN 0 0 :::896 :::* users:(("rpcbind",1569,10))
UNCONN 0 0 :::32769 :::*
UNCONN 0 0 :::nfs :::*
UNCONN 0 0 :::syslog :::* users:(("rsyslogd",1506,2))
UNCONN 0 0 :::pftp :::* users:(("rpc.statd",1643,10))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kpasswd :::* users:(("kadmind",1926,8))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kpasswd :::* users:(("kadmind",1926,7))
UNCONN 0 0 :::59603 :::* users:(("squid",2124,8))
[root@kerberos ks]# ss -upa
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:kerberos *:* users:(("krb5kdc",1935,7))
UNCONN 0 0 *:mdns *:* users:(("avahi-daemon",1613,13))
UNCONN 0 0 *:rquotad *:* users:(("rpc.rquotad",1872,3))
UNCONN 0 0 *:kerberos-iv *:* users:(("krb5kdc",1935,6))
UNCONN 0 0 *:sunrpc *:* users:(("rpcbind",1569,6))
UNCONN 0 0 *:ipp *:* users:(("cupsd",1687,9))
UNCONN 0 0 192.168.15.100:ntp *:* users:(("ntpd",1976,23))
UNCONN 0 0 172.16.15.1:ntp *:* users:(("ntpd",1976,22))
UNCONN 0 0 127.0.0.1:ntp *:* users:(("ntpd",1976,21))
UNCONN 0 0 *:ntp *:* users:(("ntpd",1976,16))
UNCONN 0 0 *:892 *:* users:(("rpc.mountd",1888,7))
UNCONN 0 0 *:896 *:* users:(("rpcbind",1569,7))
UNCONN 0 0 *:32769 *:*
UNCONN 0 0 *:nfs *:*
UNCONN 0 0 *:syslog *:* users:(("rsyslogd",1506,1))
UNCONN 0 0 *:42375 *:* users:(("avahi-daemon",1613,14))
UNCONN 0 0 *:pftp *:* users:(("rpc.statd",1643,8))
UNCONN 0 0 *:snmp *:* users:(("snmpd",1949,7))
UNCONN 0 0 *:37802 *:* users:(("squid",2124,9))
UNCONN 0 0 *:bootps *:* users:(("dhcpd",1987,7))
UNCONN 0 0 *:tftp *:* users:(("xinetd",1968,6))
UNCONN 0 0 *:971 *:* users:(("rpc.statd",1643,5))
UNCONN 0 0 *:kpasswd *:* users:(("kadmind",1926,6))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos :::* users:(("krb5kdc",1935,11))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos :::* users:(("krb5kdc",1935,9))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos-iv :::* users:(("krb5kdc",1935,10))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos-iv :::* users:(("krb5kdc",1935,8))
UNCONN 0 0 :::sunrpc :::* users:(("rpcbind",1569,9))
UNCONN 0 0 fe80::fc54:ff:feda:8094:ntp :::* users:(("ntpd",1976,26))
UNCONN 0 0 fe80::fc54:ff:fe52:8f66:ntp :::* users:(("ntpd",1976,30))
UNCONN 0 0 fe80::fc54:ff:feea:63a8:ntp :::* users:(("ntpd",1976,29))
UNCONN 0 0 fe80::fc54:ff:fe16:15c3:ntp :::* users:(("ntpd",1976,28))
UNCONN 0 0 fe80::fc54:ff:fe75:8012:ntp :::* users:(("ntpd",1976,27))
UNCONN 0 0 fe80::fc54:ff:feb3:4da8:ntp :::* users:(("ntpd",1976,25))
UNCONN 0 0 fe80::226:2dff:fe47:309f:ntp :::* users:(("ntpd",1976,20))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:ntp :::* users:(("ntpd",1976,19))
UNCONN 0 0 ::1:ntp :::* users:(("ntpd",1976,18))
UNCONN 0 0 :::ntp :::* users:(("ntpd",1976,17))
UNCONN 0 0 :::892 :::* users:(("rpc.mountd",1888,9))
UNCONN 0 0 :::896 :::* users:(("rpcbind",1569,10))
UNCONN 0 0 :::32769 :::*
UNCONN 0 0 :::nfs :::*
UNCONN 0 0 :::syslog :::* users:(("rsyslogd",1506,2))
UNCONN 0 0 :::pftp :::* users:(("rpc.statd",1643,10))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kpasswd :::* users:(("kadmind",1926,8))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kpasswd :::* users:(("kadmind",1926,7))
UNCONN 0 0 :::59603 :::* users:(("squid",2124,8))
Here are additional examples you can use with ss, including get connections per process.
http://www.cyberciti.biz/files/ss.html
inspired by this answer, i've found that the following ss
syntax works for me:
ss -u state CLOSE
… because "listening" UDP sockets are like "closed" TCP sockets.