bandwhich: Failing to report unbound UDP traffic

I’m not seeing much traffic (basically just ssh and sshd) despite knowing there’s a ton of traffic.

iftop shows me over 20x streams open, but they are all UDP – freeswitch VoIP streams.

They are listed in lsof -i

Is this a bug or by design? I saw no mention in the docs or issues of tcp vs udp.

Thanks!

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 28 (8 by maintainers)

Most upvoted comments

The kernel only shows a connected destination if the program called connect(). If it didn’t, it can instead specify a destination for each packet, using sendto().

Here’s a C program that talks UDP with 1.1.1.1 and 8.8.8.8, calling connect() for only one of the sockets. It looks like this in lsof on Linux (I don’t know about macOS and other Unix-likes):

a.out 18303 alcaro 3u IPv4 558532 0t0 UDP *:54852 a.out 18303 alcaro 4u IPv4 558533 0t0 UDP stacked:47363->dns.google:domain

(It’s also possible to talk to both servers on the same socket, but it acts weirdly if you didn’t call connect(). I suspect the kernel discards incoming packets from wrong source if you connect().)

I can’t offer any solutions, but perhaps this can help you understand the problem better.

+2
Alcaro on Jan 6, 2020

Merged in release 0.8.0.

Seems to work fine!

+1
avimar on Jan 10, 2020
Read more comments on GitHub
← bandwhich: Failed to find any network interface to listen on
bandwhich: Fails to listen to network interface on Catalina →