Tuesday, April 13, 2010

Malformed UDP Packets

Malformed UDP Packets are easily generated with the new changes to the Packet Generator tool in NetScanTools Pro 10.96.1. Normally a UDP packet consists of an IP header followed by a UDP header followed by data. Usually all the parameters of those two headers are calculated at the time the packet is sent by the sockets layer, but with our Packet Generator tool we can create the packet from beginning to end including all parts of the headers.

This view from Wireshark shows a normal UDP packet:

You can see that the packet is complete and correct with all checksums and field lengths normal. The payload is only 4 bytes - it is the word 'test'.

Now look what happens if we put a value of 2 bytes into the UDP length field - remember that the UDP header itself is 8 bytes. The data payload is still the same 4 bytes. Wireshark's 'Expert Info' analyzer tells us that it is malformed and the length value is the culprit. The checksum is not analyzed and the data is not commented on.

See how Wireshark complains that the length value is less than the data and the UDP header? The message it gives is correct, the UDP length field must have a value of 8 or greater because that is the size of the UDP header itself. Can you send a UDP packet without any data? -sure, but it will also be tagged as malformed by Wireshark (exception error).

Next let's try setting the UDP header length field to something greater than the UDP header length + the data payload length. You can see that it notes that the length value (24) is greater than the payload (8 UDP header + 4 data = 12 bytes) and it does not complete the checksum calculation since all the data is not present.


A few words about what the Packet Generator tool can do. It can generate TCP, UDP, ICMP and CDP packets and send them out at a maximum repetition rate of roughly 10,000 packets per second - it is not a traffic generator capable of saturating your connection. It has a simple scripting language that allows you to send packets and even do some minor looping or use infinite looping. This is useful for connection test purposes. It uses WinPcap to generate packets, so it is pretty much limited to wired connections, not wireless connections. But even within these limits it really can show the response of applications or devices to malformed packets.

If you are interested in trying out the demo, you can do that by following this link. Please keep in mind that the demo will limit you to your local subnet but the full version does not have this limitation.

No comments: