User Datagram Protocol (UDP) is a connectionless, low-latency transport layer protocol. UDP enables stateless communication between two network endpoints before an agreement is provided by the receiving party. To evaluate the integrity of the message header and data, UDP uses checksums.

The stream_udp inspector checks the source and destination IP address fields in the IP datagram header, and the port fields in the UDP header to determine the direction of flow and identify a session. A session ends when a configurable timer is exceeded, or when either endpoint receives an ICMP message that the other endpoint is unreachable.

The UDP stream inspector does not generate events. You can enable packet decoder rules (GID 116) to detect UDP header anomalies.

Consider the following best practices when you configure the stream_udp inspector:

• Create a stream_udp inspector for each session timeout that you want to apply to a host or endpoint. The stream UDP inspector associates the session_timeout with the UDP hosts defined in the binder inspector.

  You can have multiple versions of the stream_udp inspector in the same network analysis policy.

• Enable packet decoder rules (GID 116) to detect UDP header anomalies.