The UDP header is simplistic by comparison to the TCP header, as shown in Figure 9. It's only 8 bytes long - that's it! The main fields we filter on in the UDP header are the source and destination port numbers.
Figure 9: The simplistic UDP header has the source and destination ports at the same offset as the TCP header.
Most analyzers have application filters pre-built based on the source and destination port number field value. For example, if you select the FTP filter in Sniffer, you will have a filter built on the value 0x15 (21d). What happens if someone is sneaking through data using port 33d for their FTP commands? The pre- built filter just won't work then, eh?
That's why you must be able to build filters based on the source and destination port field. Again, Chapter 4 has lots of examples of building filters based on the source and destination port field values. In that chapter, you’ll build a filter for ‘hidden’ FTP commands crossing your network.
If you’re not sure if your ‘content filtering’ firewall is stopping these types of packets, build an FTP command filter and test it! -- Laura