Skip to main content
Wireshark Basics – Complete Beginner to Advanced Guide
CHAPTER 08 Beginner

UDP Protocol Analysis

Updated: May 16, 2026
20 min read

# CHAPTER 8

UDP Protocol Analysis

1. Introduction

In the previous chapter, we explored TCP, a highly complex, conversational protocol designed for absolute reliability. But not every application needs perfection. If you are watching a live sports stream, and a single pixel of data is lost, you do not want the video to freeze for 2 seconds while the computer asks the server to resend the missing pixel. You just want the stream to continue. For applications where raw speed and real-time delivery are paramount, the internet uses the User Datagram Protocol (UDP). In this chapter, we will use Wireshark to analyze UDP traffic, contrasting its simplistic "fire-and-forget" nature with TCP, and exploring its primary use cases: DNS and real-time media.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define the characteristics of a connectionless protocol (UDP).
  • Autopsy a UDP header in Wireshark and note its minimal size.
  • Contrast the operational differences between TCP and UDP.
  • Identify common applications that rely on UDP (e.g., DNS, VoIP, Gaming).
  • Understand why UDP cannot recover lost packets.

3. Beginner-friendly Explanations

The Megaphone (UDP) vs. The Telephone (TCP):
  • TCP is a Telephone Call: You dial the number. The other person says "Hello" (The Handshake). You have a conversation. You confirm they heard you. You both say "Goodbye" (The Teardown).
  • UDP is a Megaphone: You stand on a street corner and shout a message into a megaphone. You don't know if anyone is listening. You don't know if the wind distorted your voice. You don't ask for a receipt. You just shout and walk away. This is Connectionless Communication.

4. Anatomy of a UDP Header

Because UDP does not perform handshakes, does not track sequence numbers, and does not retransmit lost data, its header is incredibly tiny and lightweight.

If you expand the User Datagram Protocol in the Wireshark Details pane, you will see only four fields:

  1. 1. Source Port: Where the data came from.
  1. 2. Destination Port: What application the data is for.
  1. 3. Length: How large the packet is.
  1. 4. Checksum: A basic math check to ensure the header isn't corrupted.

*That's it.* There are no flags. There are no sequence numbers. A UDP header is only 8 bytes long, compared to a standard TCP header which is 20 bytes long. This lack of overhead makes UDP blindingly fast.

5. Common UDP Traffic in Wireshark

If you filter Wireshark by typing udp, you will immediately notice the "fire-and-forget" nature of the traffic.
  • DNS (Port 53): When your computer needs to look up a domain name, it fires a single UDP packet to the server. If the packet is lost, your computer just shrugs and fires a completely new one a second later.
  • DHCP (Port 67/68): When you join a Wi-Fi network, your computer shouts a UDP broadcast message to the entire network: *"I need an IP address!"*
  • Gaming & VoIP: Online multiplayer games and Zoom calls blast UDP packets back and forth 60 times a second. If one packet drops, the player's character might glitch for a millisecond, but the game continues seamlessly.

6. TCP vs UDP Comparison

FeatureTCPUDP
Connection TypeConnection-Oriented (Handshake required)Connectionless (Fire and forget)
ReliabilityGuaranteed delivery, retransmits lost dataUnreliable, no retransmissions
OverheadHigh (20+ byte header, ACKs required)Low (8 byte header, no ACKs)
SpeedSlower (Wait times for Acknowledgments)Extremely Fast (No waiting)
Use CasesWeb Browsing (HTTP), Email, File TransferStreaming Video, VoIP Calls, DNS, Gaming

7. Troubleshooting UDP in Wireshark

Troubleshooting UDP is paradoxically harder than TCP. Because TCP uses Acknowledgments, Wireshark can explicitly highlight a dropped TCP packet in black and label it "TCP Retransmission." Wireshark knows an error occurred.

With UDP, there are no acknowledgments. Wireshark has no idea if the packet arrived. If a VoIP call is dropping audio, you must manually capture traffic on *both* the sender's computer and the receiver's computer, export the PCAP files, and count the UDP packets manually to prove that the router in the middle is dropping them.

8. Best Practices

  • Do Not Follow UDP Streams blindly: In Chapter 7, we learned to "Follow TCP Stream" to see the data payload. If you click "Follow UDP Stream" on a VoIP call, you will just see a chaotic mess of unreadable binary data. UDP payloads are often heavily encoded audio/video codecs that require specialized dissectors (like RTP analysis) to interpret.

9. Common Mistakes

  • Assuming UDP is "Insecure": A beginner often associates UDP's lack of a handshake with a lack of security. This is false. While standard UDP is unencrypted, protocols like QUIC (which powers HTTP/3) and DTLS (Datagram Transport Layer Security) wrap heavy cryptographic encryption directly over fast UDP packets, achieving both extreme speed and military-grade security.

10. Mini Project: Filter UDP Traffic

  1. 1. Start a live Wireshark capture on your active interface.
  1. 2. Type udp into the Display Filter bar and press Enter.
  1. 3. Observe the Info column. You will likely see Standard query (DNS) or DHCP Request.
  1. 4. Notice that there are absolutely no [SYN] or [ACK] labels anywhere in the list. The traffic simply fires off into the network without any setup!

11. Practice Exercises

  1. 1. Explain why real-time applications like VoIP and competitive online gaming explicitly choose to use UDP instead of TCP.
  1. 2. Describe the structural difference between a TCP header and a UDP header. Why is the UDP header significantly smaller?

12. MCQs with Answers

Question 1

Which of the following best describes the fundamental operational model of the User Datagram Protocol (UDP)?

Question 2

If a UDP packet is lost in transit across the internet due to a congested router, what action does the UDP protocol take to recover the lost data?

13. Interview Questions

  • Q: Compare and contrast TCP and UDP regarding connection establishment, reliability, and data overhead.
  • Q: Provide three examples of common network protocols or applications that rely on UDP, and explain the architectural reasoning behind that choice.
  • Q: A network administrator is tasked with troubleshooting a dropped UDP connection using Wireshark. Why is this fundamentally more difficult to prove than a dropped TCP connection?

14. FAQs

Q: If UDP doesn't guarantee delivery, how does a DNS request know to try again if the first packet is lost? A: UDP itself does not care. However, the Application Layer (Layer 7) *does* care. Your computer's internal DNS resolver software is programmed to wait 1 second. If it doesn't receive a UDP reply from the server in 1 second, the *software* generates a brand new UDP packet and fires it again. The reliability is handled by the application, not the transport protocol.

15. Summary

In Chapter 8, we explored the alternative to TCP's rigid reliability. We autopsied the User Datagram Protocol (UDP), identifying its minuscule 8-byte header and its defining "Connectionless" architecture. We contrasted the slow, conversational nature of TCP with the fire-and-forget speed of UDP, mapping its usage to latency-sensitive applications like VoIP, live streaming, and rapid DNS lookups. By understanding that UDP provides zero error recovery, we recognize the inherent difficulty in troubleshooting connectionless traffic and the necessity of application-layer fallbacks.

16. Next Chapter Recommendation

We have mentioned DNS multiple times as a primary user of UDP. It is time to look at it under the microscope. Proceed to Chapter 9: DNS Traffic Analysis.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter TCP Protocol Analysis
Next Chapter DNS Traffic Analysis

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

🎥 Related Videos 1