Learn more about Israeli war crimes in Gaza, funded by the USA, Germany, the UK and others.

Creating a UDP connection with netcat

The netcat command nc is most often used to create TCP connections, but nc can also create UDP connections. From my remote server, I start listening for UDP connections to UDP port 12345:

jim@remote:~$ nc -u -l 0.0.0.0 12345

I connect to this UDP server from my laptop using:

jim@local:~$ nc -u -p 54321 personal.jameshfisher.com 12345

Above, I use the -u flag to toggle UDP mode for listening and connecting, and I use the -p flag to set the source UDP port on my laptop. Before starting nc on either machine, I started tcpdump on both machines, like this:

jim@remote:~$ sudo tcpdump -n 'udp port 12345 or icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens4, link-type EN10MB (Ethernet), capture size 262144 bytes

(You’ll see in a minute why I also included icmp in the filter.) If we were using TCP, we would have seen packets in this list as soon as we started the connection, due to the TCP “handshake” to initiate a connection. But with UDP, no packets have been exchanged yet, even though both nc processes are running.

So after starting both nc processes, do we have a “connection”? UDP is sometimes said to be “connectionless”, but I don’t quite buy this. My laptop at least is aware of a connection, and we can see the connection with lsof:

jim@local:~$ sudo lsof -nP -i UDP | awk 'NR == 1 || /12345/'
COMMAND     PID           USER   FD   TYPE            DEVICE SIZE/OFF NODE NAME
nc        41383            jim    3u  IPv4 0x86646b3906fdc4d      0t0  UDP 192.168.1.4:54321->35.190.176.201:12345

On the other hand, the server is not yet aware of the connection; lsof still only shows the process listening for a new connection:

jim@remote:~$ sudo lsof -nP -i UDP | awk 'NR == 1 || /12345/'
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nc       19075  jim    3u  IPv4  80196      0t0  UDP *:12345

Next, from my laptop, I type “hi” and hit return. This sends one UDP packet containing the string "hi\n". Finally, we see a UDP packet with tcpdump:

12:49:04.462186 IP 51.6.191.203.54321 > 10.142.0.2.12345: UDP, length 3

At this point, the server is aware of the connection, and we can see it with lsof:

jim@remote:~$ sudo lsof -nP -i UDP | awk 'NR == 1 || /12345/'
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nc       19075  jim    3u  IPv4  80196      0t0  UDP 10.142.0.2:12345->51.6.191.203:54321

So UDP does have connections, but in contrast to TCP, the UDP connection is only fully created once the first data packet is sent.

Next, I type “ack” on the server connection, and hit return. A UDP packet goes in the other direction:

13:12:57.824337 IP 35.190.176.201.12345 > 192.168.1.4.54321: UDP, length 4

Next, I kill the nc process on the server:

jim@remote:~$ nc -u -l 0.0.0.0 12345
hi
ack
^C

At this point, if this were TCP, would expect more packets negotiating a connection shutdown. But UDP doesn’t have this handshake either, so nothing is exchanged.

After killing the server process, do we have a connection? According to the server, no. But my laptop is completely unaware that the process was killed on the server, and still shows an active connection:

jim@local:~$ sudo lsof -nP -i UDP | awk 'NR == 1 || /12345/'
COMMAND     PID           USER   FD   TYPE            DEVICE SIZE/OFF NODE NAME
nc        41383            jim    3u  IPv4 0x86646b3906fdc4d      0t0  UDP 192.168.1.4:54321->35.190.176.201:12345

Because the nc process on the laptop still thinks there’s a connection, I can continue to send stuff with it. I type “hello..?”, and hit return. On tcpdump, I see:

13:18:27.846128 IP 192.168.1.4.54321 > 35.190.176.201.12345: UDP, length 9
13:18:27.943967 IP 35.190.176.201 > 192.168.1.4: ICMP 35.190.176.201 udp port 12345 unreachable, length 45

My laptop duly sends the UDP packet, but quickly receives a reply: “udp port 12345 unreachable”! At this point, my laptop knows the connection is gone, and it is no longer listed:

jim@local:~$ sudo lsof -nP -i UDP | awk 'NR == 1 || /12345/'
COMMAND     PID           USER   FD   TYPE            DEVICE SIZE/OFF NODE NAME

The “udp port 12345 unreachable” information is not in a UDP packet, but an ICMP packet. This is why I included icmp in the tcpdump filter. ICMP is “Internet Control Message Protocol”, and one use is to notify remote hosts that hosts or ports are unreachable. The ICMP packet was generated by my server after it received the “hello..?” message:

13:18:27.898045 IP 51.6.191.203.54321 > 10.142.0.2.12345: UDP, length 9
13:18:27.898099 IP 10.142.0.2 > 51.6.191.203: ICMP 10.142.0.2 udp port 12345 unreachable, length 45

As with the initial connection setup, the connection teardown is delayed in UDP until a packet is received.

Tagged #programming, #networking, #unix.

Similar posts

How to make a webserver with netcat (nc)
Use nc (netcat) to create a web server that returns custom HTTP responses. 2018-12-31
What does Linux do with a lost TCP connection?
Linux uses exponential backoff to retry dropped TCP connections, with a configurable retry limit. 2018-02-27
Running tcpdump on a TCP connection
tcpdump captures network traffic. Capture and analysis of a TCP connection, including the 3-way handshake and message exchange. 2018-02-23
What is DHCP?
DHCP dynamically assigns IP addresses to hosts, using a client-server protocol over UDP. It involves a sequence of DORA (Discover, Offer, Request, Acknowledge) messages to obtain and configure a network lease. 2018-02-06
What is tcpdump?
tcpdump captures and displays network traffic. An example inspecting DNS requests and responses. 2018-02-01
osquery: UNIX as a SQL database
osquery allows querying a UNIX system using SQL. 2017-12-11

More by Jim

What does the dot do in JavaScript?
foo.bar, foo.bar(), or foo.bar = baz - what do they mean? A deep dive into prototypical inheritance and getters/setters. 2020-11-01
Smear phishing: a new Android vulnerability
Trick Android to display an SMS as coming from any contact. Convincing phishing vuln, but still unpatched. 2020-08-06
A probabilistic pub quiz for nerds
A “true or false” quiz where you respond with your confidence level, and the optimal strategy is to report your true belief. 2020-04-26
Time is running out to catch COVID-19
Simulation shows it’s rational to deliberately infect yourself with COVID-19 early on to get treatment, but after healthcare capacity is exceeded, it’s better to avoid infection. Includes interactive parameters and visualizations. 2020-03-14
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the “scroll jail” that traps the user in a fake browser. 2019-04-27
The hacker hype cycle
I got started with simple web development, but because enamored with increasingly esoteric programming concepts, leading to a “trough of hipster technologies” before returning to more productive work. 2019-03-23
Project C-43: the lost origins of asymmetric crypto
Bob invents asymmetric cryptography by playing loud white noise to obscure Alice’s message, which he can cancel out but an eavesdropper cannot. This idea, published in 1944 by Walter Koenig Jr., is the forgotten origin of asymmetric crypto. 2019-02-16
How Hacker News stays interesting
Hacker News buried my post on conspiracy theories in my family due to overheated discussion, not censorship. Moderation keeps the site focused on interesting technical content. 2019-01-26
My parents are Flat-Earthers
For decades, my parents have been working up to Flat-Earther beliefs. From Egyptology to Jehovah’s Witnesses to theories that human built the Moon billions of years in the future. Surprisingly, it doesn’t affect their successful lives very much. For me, it’s a fun family pastime. 2019-01-20
The dots do matter: how to scam a Gmail user
Gmail’s “dots don’t matter” feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails. 2018-04-07
The sorry state of OpenSSL usability
OpenSSL’s inadequate documentation, confusing key formats, and deprecated interfaces make it difficult to use, despite its importance. 2017-12-02
I hate telephones
I hate telephones. Some rational reasons: lack of authentication, no spam filtering, forced synchronous communication. But also just a visceral fear. 2017-11-08
The Three Ts of Time, Thought and Typing: measuring cost on the web
Businesses often tout “free” services, but the real costs come in terms of time, thought, and typing required from users. Reducing these “Three Ts” is key to improving sign-up flows and increasing conversions. 2017-10-26
Granddad died today
Granddad died. The unspoken practice of death-by-dehydration in the NHS. The Liverpool Care Pathway. Assisted dying in the UK. The importance of planning in end-of-life care. 2017-05-19
How do I call a program in C, setting up standard pipes?
A C function to create a new process, set up its standard input/output/error pipes, and return a struct containing the process ID and pipe file descriptors. 2017-02-17
Your syntax highlighter is wrong
Syntax highlighters make value judgments about code. Most highlighters judge that comments are cruft, and try to hide them. Most diff viewers judge that code deletions are bad. 2014-05-11
Want to build a fantastic product using LLMs? I work at Granola where we're building the future IDE for knowledge work. Come and work with us! Read more or get in touch!

This page copyright James Fisher 2018. Content is not associated with my employer. Found an error? Edit this page.

Jim Fisher
CV
Speaking
Blogroll
RSS
TigYog
Kickabout