Home / server / Questions / 416205
Accepted
Lock
Asked: 2012-08-11 00:42:01 +0800 CST

Testing UDP port connectivity

  • 772

I am trying to test whether I can get to a particular port on a remote server (both of which I have access to) through UDP.

Both servers are internet facing. I am using netcat to have a certain port listening.

I then use nmap to check for that port to see if it is open, but it doesn't appear to be.

Iptables is turned off.

Any suggestions why this could be? I am eventually going to setup a VPN tunnel, but because I'm very new to tunnels, I want to make sure I have connectivity on port UDP 1194 before advancing.

linux

9 Answers

  1. To test if udp port is responding, use netcat.

    An example from the man page:

    nc -v -u -z -w 3 example.host 20-30
    Send UDP packets to ports 20-30 of example.host, and report which ones
    did not respond with an ICMP packet after three seconds.

    Of course, if a firewall is DROPing, which is normally the case when dealing with internet-faced gateways, you won't receive an ICMP response.

    • 91
    1. both on client ans server install nc: yum install nc (for centos)
    2. on server listen UDP port: nc -ul 6111 (add the -6 option if you're testing an ipv6 connection)
    3. on client nc -u <server> 6111
    4. type anything on client and hit enter - you should see this text on server

    Note: When you run the nc -ul command on the server, it will only connect for the first connection coming to it. You can't, as I found out, switch between servers pinging it without stopping and restarting nc -ul. In fact, if you ^C stop the client (nc -u ...), you also cannot restart the client without first restarting the server listener.

    • 69
  3. Best Answer

    There is no such thing as an "open" UDP port, at least not in the sense most people are used to think (which is answering something like "OK, I've accepted your connection"). UDP is session-less, so "a port" (read: the UDP protocol in the operating system IP stack) will never respond "success" on its own.

    UDP ports only have two states: listening or not. That usually translates to "having a socket open on it by a process" or "not having any socket open". The latter case should be easy to detect since the system should respond with an ICMP Destination Unreachable packet with code=3 (Port unreachable). Unfortunately many firewalls could drop those packets so if you don't get anything back you don't know for sure if the port is in this state or not. And let's not forget that ICMP is session-less too and doesn't do retransmissions: the Port Unreachable packet could very well be lost somewhere on the net.

    A UDP port in the "listening" state may not respond at all (the process listening on it just receives the packet and doesn't transmit anything) or it could send something back (if the process does act upon reception and if it acts by responding via UDP to the original sender IP:port). So again, you never know for sure what's the state if you don't get anything back.

    You say you can have control of the receiving host: that makes you able to construct your own protocol to check UDP port reachability: just put a process on the receiving host that'll listen on the given UDP port and respond back (or send you an email, or just freak out and unlink() everything on the host file system... anything that'll trigger your attention will do).

    • 68

  4. I was having a similar issue and found a good solution using netcat here: http://en.wikipedia.org/wiki/Netcat#Test_if_UDP_port_is_open:_simple_UDP_server_and_client

    nc -vzu <host> <port>

    I was able to confirm my UDP port was open and then could proceed to testing my actual code.

    • 14

  5. Testing open UDP ports with nmap is fraught with perils -- there's no three-way handshake to indicate openness. Unless the listening process responds to whatever nmap sends, there's no way for nmap to differentiate between an open port that isn't responding and a filtered port.

    Much easier is just to listen on one end with netcat and use netcat at the other end to send packets, and see they arrive at the other end. Do it both ways just be sure. You can also tcpdump to see the packets getting to where they need to go.

    • 10

  6. You can scan udp ports by using following command

    nmap -sU -v <hostname or ip>
    • 7

  7. You can do this with netcat (nc) or iperf, assuming you have another machine to test with outside the network. My choice would be an nmap UDP scan from a system outside of your environment. What was your nmap command line? Are there any hardware firewalls or other devices in the mix?

    • 1

  8. I have a simple-minded approach. If the UDP server does not return expected data, I just stop collecting dgrams, assuming it went down:

    LINE: while(1)
{
    my $line;
    my $flags;

    local $SIG{ALRM} = sub {die "exceeded timeout for recv"};
    alarm 5;
    eval {
        $socket->recv($line,2024,$flags);
    };

    unless($line =~ /\{.*\}/){
        if($verbose){
            print STDERR "Invalid or empty dgram:\n",'"', $line, '"',"\n";
        }

        last LINE;
    }
}
    • 1

  9. Actually if Server listen port 6111 netcat explicitly states it:

    # nc -ul 6111
Ncat: bind to :::6111: Address already in use. QUITTING.
    • 0