traffic on UDP protocol is 3 times bigger than traffic on TCP

katun

Reputable
Apr 24, 2014
7
0
4,510
My LAN monitoring software show that I have a lot of traffic on UDP, 3 times bigger than traffic on TCP.
Also, I've noticed that upload is 4 times bigger than download.

I want to know if is usual or not?
What kind of services or applications use UDP protocol?
Can be identified the application analyzing the raw packages?
 
TCP requires an acknoloedgement of recieved packets and does error checking.

UDP doesnt care abot what happened in the past. If you are on the phone with someone you want to hear what they are saying this moment, not try to recover the droped packet from a second ago.



Some torrents use udp and so can VPN connections
 
I've checked and most of this traffic address to ports which are unassigned in IANA list, like 23805, 58385, 53846, 63941, etc.
The number of used ports is really huge, like the application is changing constantly the port used.
The public address is from an ISP located in Nederland.
 
I can't run resource monitor, the traffic isn't from my laptop, and the LAN have 10 WiFi routers connected, one of them is open for guests... still I believe the owner of this pc doesn't know about.
Any other suggestions?
 
If you actually have the ability to see all the traffic on your network then you should be able to load wireshark on something and capture it. Once you have a capture you can easily add filters to see if you can identify other related data streams. Many time tcp streams from the same machine will give you a clue what the UDP is.

Still this really sounds like skype. It pretty much constantly is sending and receiving some small amount of traffic via udp from varius ip addresses.
 
Should be something else than Skype, because this traffic is persistent, day and night, and begin more than 2 weeks ago.
Nobody chat so much, without break.
I've scanned the device which generate this traffic with Nmap, and showed the presence of an unknown SSL open port, also an open port used by MS RPC.
I would like to check if it is a torrent application running on it, but I don't know where to look, which specific pattern to search for!?
 
Its much easier to get into the device itself and look at what process is producing the traffic.

Skype produces traffic all the time, not a lot but all the time. It is constantly sending its directly database all over the place as well as constantly updating if your phone is on the network and the status...pretty much all voip does that. The key would be it is very low volume when it is skype. Even when a call is up it is not very much maybe 100k/sec

It tends to be impossible to really tell just from traffic captures when it is almost random ip and random ports. Torrent tends to be impossible to get a pattern...other than it is lots of traffic with no pattern. It is the high volume to lots of random location that tends to give it away. Torrent is designed to not be detected and can even be configured to pass though corporate proxy serves.

Torrent generally prefers TCP but it can run UDP.

Maybe block all UDP traffic from that machine except some of the more well know UDP ports and see what it breaks.
 
How can I make the difference between botnet traffic and torrent?
Use of torrents is not forbidden into my network.
And I don't want to start talking about possibility to have an infected device in the house without having any proof!