UDP Flow Monitor
The UDP Flow Monitor plugin simplifies UDP analysis by hiding low-level details and showing a clear, readable log of conversations, just like the UDP Socket plugin. The plugin supports easy filtering by address or port and runs on libpcap, the trusted cross-platform packet capture library.
Basic Setup
In IO Ninja, click the “New Session” dropdown and select “UDP Flow Monitor”.
Select a network interface from “Device:”, e.g. “Adapter for loopback traffic capture”.
Click the “Capture” button to the right of the “Device:” dropdown to start capturing traffic.
Monitor UDP traffic captured according to your settings.
Adjust settings as needed via the “Settings” button (see “Settings” section below for details).
Settings
Setting |
Description |
Default |
|---|---|---|
Device |
The device to capture. |
|
Promiscious mode |
Intercept and analyze all network traffic, not just the data specifically directed to it. |
False |
Capture filter |
Term to filter with when capturing packets. |
|
View filter |
Term to filter with when displaying packets. |
|
IP fragment limit |
The maximum number of IP fragments. IP fragments refer to the pieces of a larger IP packet that has been broken up for transmission across a network. IP datagrams can be fragmented during transmission, and the UDP Flow Monitor attempts to reassemble these fragments into complete packets. To do this, it maintains a database of observed fragments. However, if the network contains malformed or maliciously crafted fragments, the defragmentation process can be overwhelmed. To prevent this, the analyzer applies several sanity checks. For example, incomplete fragment chains are discarded after a timeout to avoid indefinite retention, and the number of fragments in a chain is limited—since it’s highly unlikely that a legitimate IP datagram would be split into more than a few parts. By enforcing these limits, the analyzer can effectively discard suspicious or malformed chains, making the defragmentation process more robust and secure in hostile network environments. |
8 |
IP fragment timeout (ms) |
The maximum delay between IP fragments. |
10000 |
Snapshot size |
Pcap (packet capture) snapshot size. |
65536 |
Kernel buffer size |
Pcap (packet capture) kernel buffer size. |
0 |
RX buffer size (B) |
The full size of the incoming data (RX) buffer. Affects read throughput. |
1048576 |
RX buffer full notifications |
Toggle warnings in log about the incoming data (RX) buffer getting full. |
False |
Note
“Capture filter” filters what is captured, while “View filter” filters the log after capturing. Only use “Capture filter” if you are sure that you will not later need the packets that you are filtering out. If you may need the packets later, capture everything and filter using the “View filter”.