How do I create a UDP packet?
Clash Royale CLAN TAG#URR8PPP
up vote
14
down vote
favorite
When I perform the following Netcat command and view the packets with Wireshark, it says the UDP packet is malformed.
$ echo "this is a test" | nc -u 127.0.0.1 53
Similarly, using commands like $ echo "this is a test" > /dev/udp/127.0.0.1/53
produce "malformed packet" errors in Wireshark.
The echo command gets sent/delivered to the Netcat server without errors. But this got me wondering: is it possible to manually construct a proper UDP packet with echo or some other native Unix tool(s)?
I'm using Debian and macOS.
linux debian osx netcat udp
|
show 2 more comments
up vote
14
down vote
favorite
When I perform the following Netcat command and view the packets with Wireshark, it says the UDP packet is malformed.
$ echo "this is a test" | nc -u 127.0.0.1 53
Similarly, using commands like $ echo "this is a test" > /dev/udp/127.0.0.1/53
produce "malformed packet" errors in Wireshark.
The echo command gets sent/delivered to the Netcat server without errors. But this got me wondering: is it possible to manually construct a proper UDP packet with echo or some other native Unix tool(s)?
I'm using Debian and macOS.
linux debian osx netcat udp
10
According to your screenshot it's not the udp-packet itself which is malformed but its content, as port 53 is used for DNS and your packet doesn't contain a valid DNS request.
– tkausl
Nov 23 at 18:17
@tkausl you're absolutely right. There are no "malformed" errors when using ports other than 53. Thank you for pointing that out.
– user322500
Nov 23 at 18:22
1
If you aren't using standard protocols you are supposed to use ports in the range 49152 to 65535. Since Linux by default uses the range 32768 to 60999 as ephemeral ports I recommend not choosing those either for non-standard protocols. However 61000 to 65535 are fair game for non-standard protocols. I usually useecho $[61002+RANDOM%4532]
to pick a random port number in that range.
– kasperd
Nov 23 at 21:21
1
Don't be logged in as root. You should do most of your activity as a non-root user. If you do stuff as root, you will be back on here asking how to fix your machine, and we won't be able to help (except to recommend a re-install).
– ctrl-alt-delor
Nov 24 at 0:18
1
@tkausl Look what have you lost for not posting your comment as answer....
– George Vasiliou
Nov 25 at 20:23
|
show 2 more comments
up vote
14
down vote
favorite
up vote
14
down vote
favorite
When I perform the following Netcat command and view the packets with Wireshark, it says the UDP packet is malformed.
$ echo "this is a test" | nc -u 127.0.0.1 53
Similarly, using commands like $ echo "this is a test" > /dev/udp/127.0.0.1/53
produce "malformed packet" errors in Wireshark.
The echo command gets sent/delivered to the Netcat server without errors. But this got me wondering: is it possible to manually construct a proper UDP packet with echo or some other native Unix tool(s)?
I'm using Debian and macOS.
linux debian osx netcat udp
When I perform the following Netcat command and view the packets with Wireshark, it says the UDP packet is malformed.
$ echo "this is a test" | nc -u 127.0.0.1 53
Similarly, using commands like $ echo "this is a test" > /dev/udp/127.0.0.1/53
produce "malformed packet" errors in Wireshark.
The echo command gets sent/delivered to the Netcat server without errors. But this got me wondering: is it possible to manually construct a proper UDP packet with echo or some other native Unix tool(s)?
I'm using Debian and macOS.
linux debian osx netcat udp
linux debian osx netcat udp
edited Nov 24 at 9:36
Peter Mortensen
85758
85758
asked Nov 23 at 16:01
user322500
714
714
10
According to your screenshot it's not the udp-packet itself which is malformed but its content, as port 53 is used for DNS and your packet doesn't contain a valid DNS request.
– tkausl
Nov 23 at 18:17
@tkausl you're absolutely right. There are no "malformed" errors when using ports other than 53. Thank you for pointing that out.
– user322500
Nov 23 at 18:22
1
If you aren't using standard protocols you are supposed to use ports in the range 49152 to 65535. Since Linux by default uses the range 32768 to 60999 as ephemeral ports I recommend not choosing those either for non-standard protocols. However 61000 to 65535 are fair game for non-standard protocols. I usually useecho $[61002+RANDOM%4532]
to pick a random port number in that range.
– kasperd
Nov 23 at 21:21
1
Don't be logged in as root. You should do most of your activity as a non-root user. If you do stuff as root, you will be back on here asking how to fix your machine, and we won't be able to help (except to recommend a re-install).
– ctrl-alt-delor
Nov 24 at 0:18
1
@tkausl Look what have you lost for not posting your comment as answer....
– George Vasiliou
Nov 25 at 20:23
|
show 2 more comments
10
According to your screenshot it's not the udp-packet itself which is malformed but its content, as port 53 is used for DNS and your packet doesn't contain a valid DNS request.
– tkausl
Nov 23 at 18:17
@tkausl you're absolutely right. There are no "malformed" errors when using ports other than 53. Thank you for pointing that out.
– user322500
Nov 23 at 18:22
1
If you aren't using standard protocols you are supposed to use ports in the range 49152 to 65535. Since Linux by default uses the range 32768 to 60999 as ephemeral ports I recommend not choosing those either for non-standard protocols. However 61000 to 65535 are fair game for non-standard protocols. I usually useecho $[61002+RANDOM%4532]
to pick a random port number in that range.
– kasperd
Nov 23 at 21:21
1
Don't be logged in as root. You should do most of your activity as a non-root user. If you do stuff as root, you will be back on here asking how to fix your machine, and we won't be able to help (except to recommend a re-install).
– ctrl-alt-delor
Nov 24 at 0:18
1
@tkausl Look what have you lost for not posting your comment as answer....
– George Vasiliou
Nov 25 at 20:23
10
10
According to your screenshot it's not the udp-packet itself which is malformed but its content, as port 53 is used for DNS and your packet doesn't contain a valid DNS request.
– tkausl
Nov 23 at 18:17
According to your screenshot it's not the udp-packet itself which is malformed but its content, as port 53 is used for DNS and your packet doesn't contain a valid DNS request.
– tkausl
Nov 23 at 18:17
@tkausl you're absolutely right. There are no "malformed" errors when using ports other than 53. Thank you for pointing that out.
– user322500
Nov 23 at 18:22
@tkausl you're absolutely right. There are no "malformed" errors when using ports other than 53. Thank you for pointing that out.
– user322500
Nov 23 at 18:22
1
1
If you aren't using standard protocols you are supposed to use ports in the range 49152 to 65535. Since Linux by default uses the range 32768 to 60999 as ephemeral ports I recommend not choosing those either for non-standard protocols. However 61000 to 65535 are fair game for non-standard protocols. I usually use
echo $[61002+RANDOM%4532]
to pick a random port number in that range.– kasperd
Nov 23 at 21:21
If you aren't using standard protocols you are supposed to use ports in the range 49152 to 65535. Since Linux by default uses the range 32768 to 60999 as ephemeral ports I recommend not choosing those either for non-standard protocols. However 61000 to 65535 are fair game for non-standard protocols. I usually use
echo $[61002+RANDOM%4532]
to pick a random port number in that range.– kasperd
Nov 23 at 21:21
1
1
Don't be logged in as root. You should do most of your activity as a non-root user. If you do stuff as root, you will be back on here asking how to fix your machine, and we won't be able to help (except to recommend a re-install).
– ctrl-alt-delor
Nov 24 at 0:18
Don't be logged in as root. You should do most of your activity as a non-root user. If you do stuff as root, you will be back on here asking how to fix your machine, and we won't be able to help (except to recommend a re-install).
– ctrl-alt-delor
Nov 24 at 0:18
1
1
@tkausl Look what have you lost for not posting your comment as answer....
– George Vasiliou
Nov 25 at 20:23
@tkausl Look what have you lost for not posting your comment as answer....
– George Vasiliou
Nov 25 at 20:23
|
show 2 more comments
3 Answers
3
active
oldest
votes
up vote
40
down vote
Your packet is completely valid, from the viewpoint of IP and UDP. If you expand the protocol details for Ethernet/IP/UDP in the lower pane of Wireshark, you will see that the packet is successfully parsed.
However, as it is destined for port 53, Wireshark attempts to parse it as a DNS packet, which it cannot do (since the string "this is a test" is not a valid DNS request per the RFC 1035 spec).
If you follow the specification at that link, you will be able to construct a packet that is valid when parsed as a DNS request. If you send the packet to another port, you'll notice that Wireshark will no longer parse it as a DNS request and will hence not show that warning.
add a comment |
up vote
14
down vote
You can send them to Bash special aliases with redirection.
From Bash manpages:
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding TCP socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding UDP socket.
This will send a UDP packet to 192.168.2.11 to port 8080:
echo "This is a test" > /dev/udp/192.168.2.11/8080
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
add a comment |
up vote
-1
down vote
There are multiple questions here; the claim of a "malformed packet" may be due to checksum offloading and if so is a false error as it reflects the packet capture not having a complete view--some of the work was instead done on the network hardware. WireShark should have documentation on this.
Otherwise, various tools (such as socat
, nc
or netcat
, or via extremely similar features in shells such as ksh93
or bash
) can take bytes from standard input and dump them into what becomes a UDP packet. Whether this is "proper" depends on the protocol; one could in theory construct and send a DNS or DHCP packet this way, though more often folks use a library or dedicated software that (hopefully) correctly implements the protocol in question, as there is usually a lot more involved than setting a few bits in the body of a packet and sending that out over the wire, notably handling responses, retrying after timeout or error, packet header fields, etc. The protocols are usually very well documented in RFC, or see the "TCP/IP Illustrated" book series by Stevens for even more documentation.
Specific tools such as nmap
do very custom things with packet construction. Otherwise for manual packet construction a programming language is typically used, though again most software will use existing libraries or system services to send out DNS or DHCP or other UDP packets, as those are far less work and far less error prone than manually crafting a raw packet from scratch.
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
40
down vote
Your packet is completely valid, from the viewpoint of IP and UDP. If you expand the protocol details for Ethernet/IP/UDP in the lower pane of Wireshark, you will see that the packet is successfully parsed.
However, as it is destined for port 53, Wireshark attempts to parse it as a DNS packet, which it cannot do (since the string "this is a test" is not a valid DNS request per the RFC 1035 spec).
If you follow the specification at that link, you will be able to construct a packet that is valid when parsed as a DNS request. If you send the packet to another port, you'll notice that Wireshark will no longer parse it as a DNS request and will hence not show that warning.
add a comment |
up vote
40
down vote
Your packet is completely valid, from the viewpoint of IP and UDP. If you expand the protocol details for Ethernet/IP/UDP in the lower pane of Wireshark, you will see that the packet is successfully parsed.
However, as it is destined for port 53, Wireshark attempts to parse it as a DNS packet, which it cannot do (since the string "this is a test" is not a valid DNS request per the RFC 1035 spec).
If you follow the specification at that link, you will be able to construct a packet that is valid when parsed as a DNS request. If you send the packet to another port, you'll notice that Wireshark will no longer parse it as a DNS request and will hence not show that warning.
add a comment |
up vote
40
down vote
up vote
40
down vote
Your packet is completely valid, from the viewpoint of IP and UDP. If you expand the protocol details for Ethernet/IP/UDP in the lower pane of Wireshark, you will see that the packet is successfully parsed.
However, as it is destined for port 53, Wireshark attempts to parse it as a DNS packet, which it cannot do (since the string "this is a test" is not a valid DNS request per the RFC 1035 spec).
If you follow the specification at that link, you will be able to construct a packet that is valid when parsed as a DNS request. If you send the packet to another port, you'll notice that Wireshark will no longer parse it as a DNS request and will hence not show that warning.
Your packet is completely valid, from the viewpoint of IP and UDP. If you expand the protocol details for Ethernet/IP/UDP in the lower pane of Wireshark, you will see that the packet is successfully parsed.
However, as it is destined for port 53, Wireshark attempts to parse it as a DNS packet, which it cannot do (since the string "this is a test" is not a valid DNS request per the RFC 1035 spec).
If you follow the specification at that link, you will be able to construct a packet that is valid when parsed as a DNS request. If you send the packet to another port, you'll notice that Wireshark will no longer parse it as a DNS request and will hence not show that warning.
answered Nov 23 at 19:29
hexafraction
540518
540518
add a comment |
add a comment |
up vote
14
down vote
You can send them to Bash special aliases with redirection.
From Bash manpages:
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding TCP socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding UDP socket.
This will send a UDP packet to 192.168.2.11 to port 8080:
echo "This is a test" > /dev/udp/192.168.2.11/8080
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
add a comment |
up vote
14
down vote
You can send them to Bash special aliases with redirection.
From Bash manpages:
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding TCP socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding UDP socket.
This will send a UDP packet to 192.168.2.11 to port 8080:
echo "This is a test" > /dev/udp/192.168.2.11/8080
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
add a comment |
up vote
14
down vote
up vote
14
down vote
You can send them to Bash special aliases with redirection.
From Bash manpages:
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding TCP socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding UDP socket.
This will send a UDP packet to 192.168.2.11 to port 8080:
echo "This is a test" > /dev/udp/192.168.2.11/8080
You can send them to Bash special aliases with redirection.
From Bash manpages:
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding TCP socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, bash attempts to open the
corresponding UDP socket.
This will send a UDP packet to 192.168.2.11 to port 8080:
echo "This is a test" > /dev/udp/192.168.2.11/8080
edited Nov 23 at 20:05
Peter Mortensen
85758
85758
answered Nov 23 at 16:13
rAlen
675410
675410
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
add a comment |
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
Thanks for this answer. I've updated my question. Using your method also produces a "malformed packet" error message, unfortunately.
– user322500
Nov 23 at 16:42
add a comment |
up vote
-1
down vote
There are multiple questions here; the claim of a "malformed packet" may be due to checksum offloading and if so is a false error as it reflects the packet capture not having a complete view--some of the work was instead done on the network hardware. WireShark should have documentation on this.
Otherwise, various tools (such as socat
, nc
or netcat
, or via extremely similar features in shells such as ksh93
or bash
) can take bytes from standard input and dump them into what becomes a UDP packet. Whether this is "proper" depends on the protocol; one could in theory construct and send a DNS or DHCP packet this way, though more often folks use a library or dedicated software that (hopefully) correctly implements the protocol in question, as there is usually a lot more involved than setting a few bits in the body of a packet and sending that out over the wire, notably handling responses, retrying after timeout or error, packet header fields, etc. The protocols are usually very well documented in RFC, or see the "TCP/IP Illustrated" book series by Stevens for even more documentation.
Specific tools such as nmap
do very custom things with packet construction. Otherwise for manual packet construction a programming language is typically used, though again most software will use existing libraries or system services to send out DNS or DHCP or other UDP packets, as those are far less work and far less error prone than manually crafting a raw packet from scratch.
add a comment |
up vote
-1
down vote
There are multiple questions here; the claim of a "malformed packet" may be due to checksum offloading and if so is a false error as it reflects the packet capture not having a complete view--some of the work was instead done on the network hardware. WireShark should have documentation on this.
Otherwise, various tools (such as socat
, nc
or netcat
, or via extremely similar features in shells such as ksh93
or bash
) can take bytes from standard input and dump them into what becomes a UDP packet. Whether this is "proper" depends on the protocol; one could in theory construct and send a DNS or DHCP packet this way, though more often folks use a library or dedicated software that (hopefully) correctly implements the protocol in question, as there is usually a lot more involved than setting a few bits in the body of a packet and sending that out over the wire, notably handling responses, retrying after timeout or error, packet header fields, etc. The protocols are usually very well documented in RFC, or see the "TCP/IP Illustrated" book series by Stevens for even more documentation.
Specific tools such as nmap
do very custom things with packet construction. Otherwise for manual packet construction a programming language is typically used, though again most software will use existing libraries or system services to send out DNS or DHCP or other UDP packets, as those are far less work and far less error prone than manually crafting a raw packet from scratch.
add a comment |
up vote
-1
down vote
up vote
-1
down vote
There are multiple questions here; the claim of a "malformed packet" may be due to checksum offloading and if so is a false error as it reflects the packet capture not having a complete view--some of the work was instead done on the network hardware. WireShark should have documentation on this.
Otherwise, various tools (such as socat
, nc
or netcat
, or via extremely similar features in shells such as ksh93
or bash
) can take bytes from standard input and dump them into what becomes a UDP packet. Whether this is "proper" depends on the protocol; one could in theory construct and send a DNS or DHCP packet this way, though more often folks use a library or dedicated software that (hopefully) correctly implements the protocol in question, as there is usually a lot more involved than setting a few bits in the body of a packet and sending that out over the wire, notably handling responses, retrying after timeout or error, packet header fields, etc. The protocols are usually very well documented in RFC, or see the "TCP/IP Illustrated" book series by Stevens for even more documentation.
Specific tools such as nmap
do very custom things with packet construction. Otherwise for manual packet construction a programming language is typically used, though again most software will use existing libraries or system services to send out DNS or DHCP or other UDP packets, as those are far less work and far less error prone than manually crafting a raw packet from scratch.
There are multiple questions here; the claim of a "malformed packet" may be due to checksum offloading and if so is a false error as it reflects the packet capture not having a complete view--some of the work was instead done on the network hardware. WireShark should have documentation on this.
Otherwise, various tools (such as socat
, nc
or netcat
, or via extremely similar features in shells such as ksh93
or bash
) can take bytes from standard input and dump them into what becomes a UDP packet. Whether this is "proper" depends on the protocol; one could in theory construct and send a DNS or DHCP packet this way, though more often folks use a library or dedicated software that (hopefully) correctly implements the protocol in question, as there is usually a lot more involved than setting a few bits in the body of a packet and sending that out over the wire, notably handling responses, retrying after timeout or error, packet header fields, etc. The protocols are usually very well documented in RFC, or see the "TCP/IP Illustrated" book series by Stevens for even more documentation.
Specific tools such as nmap
do very custom things with packet construction. Otherwise for manual packet construction a programming language is typically used, though again most software will use existing libraries or system services to send out DNS or DHCP or other UDP packets, as those are far less work and far less error prone than manually crafting a raw packet from scratch.
edited Nov 24 at 9:12
Stéphane Chazelas
295k54559902
295k54559902
answered Nov 23 at 17:47
thrig
23.8k12955
23.8k12955
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f483717%2fhow-do-i-create-a-udp-packet%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
10
According to your screenshot it's not the udp-packet itself which is malformed but its content, as port 53 is used for DNS and your packet doesn't contain a valid DNS request.
– tkausl
Nov 23 at 18:17
@tkausl you're absolutely right. There are no "malformed" errors when using ports other than 53. Thank you for pointing that out.
– user322500
Nov 23 at 18:22
1
If you aren't using standard protocols you are supposed to use ports in the range 49152 to 65535. Since Linux by default uses the range 32768 to 60999 as ephemeral ports I recommend not choosing those either for non-standard protocols. However 61000 to 65535 are fair game for non-standard protocols. I usually use
echo $[61002+RANDOM%4532]
to pick a random port number in that range.– kasperd
Nov 23 at 21:21
1
Don't be logged in as root. You should do most of your activity as a non-root user. If you do stuff as root, you will be back on here asking how to fix your machine, and we won't be able to help (except to recommend a re-install).
– ctrl-alt-delor
Nov 24 at 0:18
1
@tkausl Look what have you lost for not posting your comment as answer....
– George Vasiliou
Nov 25 at 20:23