UDP Flow Analyzer

Go To Product Page

UDP Flow Analyzer is the layer version of UDP Flow Monitor. It can be attached to Pcap Sniffer or Ethernet Tap to convert low-level packet views into high-level data flow representations.

Basic Setup

  1. In a Pcap Sniffer or Ethernet Tap session, attach the UDP Flow Analyzer layer.

_images/udp-flow-analyzer-new-layer.png

  1. Analyze the post-processed Pcap Sniffer or Ethernet Tap logs.

_images/udp-flow-analyzer-analyze.png

  1. Adjust settings as needed via the “Settings” button (see “Settings” section below for details).

Settings

_images/udp-flow-analyzer-settings.png

Setting

Description

Default

View filter

Term to filter with when displaying packets.

IP fragment limit

The maximum number of IP fragments. IP fragments refer to the pieces of a larger IP packet that has been broken up for transmission across a network. IP datagrams can be fragmented during transmission, and the UDP Flow Analyzer attempts to reassemble these fragments into complete packets. To do this, it maintains a database of observed fragments. However, if the network contains malformed or maliciously crafted fragments, the defragmentation process can be overwhelmed. To prevent this, the analyzer applies several sanity checks. For example, incomplete fragment chains are discarded after a timeout to avoid indefinite retention, and the number of fragments in a chain is limited—since it’s highly unlikely that a legitimate IP datagram would be split into more than a few parts. By enforcing these limits, the analyzer can effectively discard suspicious or malformed chains, making the defragmentation process more robust and secure in hostile network environments.

8

IP fragment timeout (ms)

The maximum delay between IP fragments.

10000