The udp
module reads raw packets from a UDP connection over the Internet.
The udp
module is an input module, meaning that its purpose is to read data from some sources, and convert it to Orchids events. The sources should be declared in the orchids-inputs.conf
file. Admissible sources are UDP (SOCK_DGRAM
) connections over the Internet (AF_INET
). For local UDP connections, use sockunix
instead.
The udp
module reads from these sources and produces Orchids events, one per UDP packet. The contents of each packet will then be found in the .udp.msg
field of the event.
Configuration options
None.
(The udp
module in fact understands the special INPUT
directive. It takes a port number as argument, and connects to that port. This should not be used inside the udp
module configuration file. Instead, input should be specified in the orchids-inputs.conf
file.)
Fields
The last field is .udp.msg
, available for further dissection; the dissection key is .udp.tag
, which is a string rendition of the .udp.dst_port
field. This requires a bit of explanation. If you write:
DISSECT udp textfile 514
in the orchids-inputs.conf
file, then you will get UDP packets from port 514 (the syslog
port). This will be made clear by the fact that their .udp.dst_port
field will be equal to the unsigned integer 514. Their .udp.tag
field will be the string "514"
, which can then be used as a dissection tag.
Field | Type | Mono? | Description |
---|---|---|---|
.udp.event |
uint |
✓ | event number |
.udp.time |
timeval |
✓ | reception time (by Orchids) |
.udp.src_addr |
ipv4 |
source address | |
.udp.src_port |
uint |
source port | |
.udp.dst_port |
uint |
destination port | |
.udp.tag |
str |
dissection tag | |
.udp.msg |
bstr |
message, as raw packet |