Dump UDP header / Source Port / Destination Port

********************************************************************************

UDP header : 8 Octets (RFC 768)



                  0      7 8     15 16    23 24    31
                 +--------+--------+--------+--------+
                 |     Source      |   Destination   |
                 |      Port       |      Port       |
                 +--------+--------+--------+--------+
                 |                 |                 |
                 |     Length      |    Checksum     |
                 +--------+--------+--------+--------+
                 |
                 |          data octets ...
                 +---------------- ...

                      User Datagram Header Format

Source Port is an optional field, when meaningful, it indicates the port
of the sending  process,  and may be assumed  to be the port  to which a
reply should  be addressed  in the absence of any other information.  If
not used, a value of zero is inserted.

Destination  Port has a meaning  within  the  context  of  a  particular
internet destination address.

Length  is the length  in octets  of this user datagram  including  this
header  and the data.   (This  means  the minimum value of the length is
eight.)


********************************************************************************

Dump UDP packets with source port 53

server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s38 ip and udp and src port 53

tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 38 bytes
2022-05-25 16:58:54.987637 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 47075, offset 0, flags [none], proto UDP (17), length 83)
    85.15.6.12.53 > 85.15.5.75.58221:  [|udp]
        0x0000:  d89d 671a 38c5 1a81 fbcb bd7a 0800 4500  ..g.8......z..E.
        0x0010:  0053 b7e3 0000 4011 0d42 550f 060c 550f  .S....@..BU...U.
        0x0020:  054b 0035 e36d                           .K.5.m
2022-05-25 16:58:54.988507 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 54, id 36318, offset 0, flags [DF], proto UDP (17), length 74)
    192.174.68.100.53 > 85.15.6.12.33203:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  004a 8dde 4000 3611 5697 c0ae 4464 550f  .J..@.6.V...DdU.
        0x0020:  060c 0035 81b3                           ...5..
2022-05-25 16:58:54.994487 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 52, id 11698, offset 0, flags [DF], proto UDP (17), length 79)
    188.40.209.121.53 > 85.15.6.12.27604:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  004f 2db2 4000 3411 302f bc28 d179 550f  .O-.@.4.0/.(.yU.
        0x0020:  060c 0035 6bd4                           ...5k.
2022-05-25 16:58:55.003753 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 47079, offset 0, flags [none], proto UDP (17), length 83)
    85.15.6.12.53 > 85.15.5.75.49272:  [|udp]
        0x0000:  d89d 671a 38c5 1a81 fbcb bd7a 0800 4500  ..g.8......z..E.
        0x0010:  0053 b7e7 0000 4011 0d3e 550f 060c 550f  .S....@..>U...U.
        0x0020:  054b 0035 c078                           .K.5.x
4 packets captured
21 packets received by filter
0 packets dropped by kernel


Port 53 Decimal = 0x35

server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s38 '(link[12:2] == 0x0800)' and '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' and '(link[34:2] == 0x0035)'

tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 38 bytes
2022-05-25 17:01:41.248376 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 52, id 62435, offset 0, flags [none], proto UDP (17), length 72)
    64.32.28.226.53 > 85.15.6.12.64729:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  0048 f3e3 0000 3411 daa4 4020 1ce2 550f  .H....4...@...U.
        0x0020:  060c 0035 fcd9                           ...5..
2022-05-25 17:01:41.248563 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 54, id 52354, offset 0, flags [DF], proto UDP (17), length 83)
    108.162.193.60.53 > 85.15.6.12.42919:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  0053 cc82 4000 3611 ef1d 6ca2 c13c 550f  .S..@.6...l..<U.
        0x0020:  060c 0035 a7a7                           ...5..
2022-05-25 17:01:41.253079 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 96: (tos 0x0, ttl 54, id 38008, offset 0, flags [DF], proto UDP (17), length 82)
    108.162.192.136.53 > 85.15.6.12.47528:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  0052 9478 4000 3611 27dd 6ca2 c088 550f  .R.x@.6.'.l...U.
        0x0020:  060c 0035 b9a8                           ...5..
2022-05-25 17:01:41.258452 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 50, id 64185, offset 0, flags [none], proto UDP (17), length 75)
    139.162.215.211.53 > 85.15.6.12.13337:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  004b fab9 0000 3211 cf57 8ba2 d7d3 550f  .K....2..W....U.
        0x0020:  060c 0035 3419                           ...54.
4 packets captured
33 packets received by filter
0 packets dropped by kernel


server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s38 '(link[12:2] == 0x0800)' and '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' and '(ip[20:2] == 0x0035)'

tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 38 bytes
2022-05-25 17:02:03.523366 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 134: (tos 0x0, ttl 109, id 26613, offset 0, flags [none], proto UDP (17), length 120)
    13.107.222.33.53 > 85.15.6.12.62677:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  0078 67f5 0000 6d11 9ed8 0d6b de21 550f  .xg...m....k.!U.
        0x0020:  060c 0035 f4d5                           ...5..
2022-05-25 17:02:03.525874 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 58, id 46707, offset 0, flags [none], proto UDP (17), length 79)
    185.188.105.11.53 > 85.15.6.12.28959:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  004f b673 0000 3a11 4c48 b9bc 690b 550f  .O.s..:.LH..i.U.
        0x0020:  060c 0035 711f                           ...5q.
2022-05-25 17:02:03.525876 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 52, id 42608, offset 0, flags [DF], proto UDP (17), length 79)
    188.40.209.121.53 > 85.15.6.12.31615:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  004f a670 4000 3411 b770 bc28 d179 550f  .O.p@.4..p.(.yU.
        0x0020:  060c 0035 7b7f                           ...5{.
2022-05-25 17:02:03.526098 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 138: (tos 0x0, ttl 54, id 54609, offset 0, flags [DF], proto UDP (17), length 124)
    172.64.35.63.53 > 85.15.6.12.36501:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  007c d551 4000 3611 4485 ac40 233f 550f  .|.Q@.6.D..@#?U.
        0x0020:  060c 0035 8e95                           ...5..
4 packets captured
31 packets received by filter
0 packets dropped by kernel


server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s38 '(link[12:2] == 0x0800)' and '(ip[0] & 0xf0 == 0x40)' and '(ip[9] == 0x11)' and '(udp[0:2] == 0x0035)'

tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 38 bytes
2022-05-25 17:02:14.814540 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 53, id 64417, offset 0, flags [none], proto UDP (17), length 79)
    88.198.13.152.53 > 85.15.6.12.43774:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  004f fba1 0000 3511 c883 58c6 0d98 550f  .O....5...X...U.
        0x0020:  060c 0035 aafe                           ...5..
2022-05-25 17:02:14.836049 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 13026, offset 0, flags [none], proto UDP (17), length 83)
    85.15.6.12.53 > 85.15.5.75.43228:  [|udp]
        0x0000:  d89d 671a 38c5 1a81 fbcb bd7a 0800 4500  ..g.8......z..E.
        0x0010:  0053 32e2 0000 4011 9243 550f 060c 550f  .S2...@..CU...U.
        0x0020:  054b 0035 a8dc                           .K.5..
2022-05-25 17:02:14.854389 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 52, id 12971, offset 0, flags [none], proto UDP (17), length 71)
    64.32.28.226.53 > 85.15.6.12.52450:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  0047 32ab 0000 3411 9bde 4020 1ce2 550f  .G2...4...@...U.
        0x0020:  060c 0035 cce2                           ...5..
2022-05-25 17:02:14.862120 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 731: (tos 0x0, ttl 49, id 34777, offset 0, flags [none], proto UDP (17), length 717)
    185.159.197.3.53 > 85.15.6.12.47395:  [|udp]
        0x0000:  1a81 fbcb bd7a d89d 671a 38c5 0800 4500  .....z..g.8...E.
        0x0010:  02cd 87d9 0000 3111 2589 b99f c503 550f  ......1.%.....U.
        0x0020:  060c 0035 b923                           ...5.#
4 packets captured
16 packets received by filter
0 packets dropped by kernel