Dear all, I'm working with a capture and I would like to classify UDP conversations in two groups. One group with all UDP conversations that finish right and another group with UDP conversations that don't finish. How can I do it? Thanks in advance. asked 25 May '14, 10:32  meri edited 25 May '14, 10:35  Bill Meier ♦♦ |
One Answer:
There are no 'established' connections in UDP, as the protocol has no session establishment process. The client just sends data to the server within the first frame (and vice versa), so that's totally different than the TCP 3-way handshake (SYN,SYN-ACK,ACK). There might be a protocol on top of UDP that uses some kind of 'session concept'. As you did not mention that, I cannot give any good advice in that direction. So, to answer your question: You cannot filter for 'established' UDP connections, as there is no concept of an 'established connection' in UDP. Therefore, there is no way to filter for what you are asking, unless you can add some details about the protocol used on top of UDP (if there is one), like DNS, DTLS, etc. In some cases, you could then at least filter if you've ever received an answer for a certain request, which could be treated as a kind of an indicator for something like an 'established session'. Regards answered 25 May '14, 11:35  Kurt Knochner ♦ edited 25 May '14, 11:37 |
What's your definition of "finish right" ?
With no errors. I tried to search icmp and then destinations unreachables but I don't know if all icmp mean a wrong UDP conversation or not, for example time exceed.
UDP is not connection oriented, so its up to the application to determine if successful communication was achieved. What application are you talking about?
I'm thinking about and I think that is better to say that I'm looking UDP established conversations and no established. I hope you understand me.