Research and Development

udp-proto-scanner is a perl script which discovers UDP services by sending triggers to a list of hosts


$ -f ips.txt
$ -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ -l

What’s it used for?

It’s used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services and are otherwise well firewalled – e.g. if you want to find all the DNS servers in a range of IP addresses. Alternatively on a LAN, you might want a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won’t respond unless you know a valid community string). However, many UDP services can be discovered, e.g.:

  • DNS
  • TFTP
  • NTP
  • NBT
  • SunRPC
  • MS SQL
  • DB2
  • SNMPv3

It’s Not a Portscanner

It won’t give you a list of open and closed ports for each host. It’s simply looking for specific UDP services.


It’s most efficient to run against whole networks (e.g. 256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn’t load the whole host list into memory. Therefore if you want to scan 17 million IPs, you can. It’ll take a while, but you won’t run out of memory.


The UDP probes are mainly taken from amap, nmap and ike-scan. Inspiration for the scanning code was drawn from ike-scan. Net::Netmask by David Muir Sharnoff is included in this tool.

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)