UDP Table

Overview

Evidence: UDP Table Description: Collect UDP Table Category: Network Platform: windows Short Name: udpt Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a table of all UDP endpoints (listening ports) including the local address, port, and process ID that owns each endpoint. Unlike TCP, UDP is connectionless, so only local endpoints are tracked.

UDP is commonly used for DNS, DHCP, and various application protocols. Malware may also use UDP for C2 communications or data exfiltration.

Data Collected

This collector gathers structured data about udp table.

UDP Table Data

Field

Description

Example

Local

Local IP address

0.0.0.0

LocalPort

Local UDP port number

137

ProcessID

Owning process ID

Collection Method

This collector uses Windows API to enumerate UDP endpoints:

GetExtendedUdpTable with UDP_TABLE_OWNER_PID flag
Returns all UDP listening ports
Associates endpoints with process IDs

Forensic Value

UDP endpoints can reveal services and potential backdoors. Investigators use this data to identify listening UDP services, detect unusual UDP ports, track DNS client activity, correlate UDP usage with processes, and identify potential UDP-based C2 channels.

PreviousTypedURLs NextUltraviewer Logs

Last updated 3 days ago

Was this helpful?