I’m not suggesting wireshark is the right choice for production but if you need a udp server for a quick debugging session then this trick might just be worth tucking away for later.
If you need to perform a short data collection from applications like syslog or netflow that just pump out udp packets then wireshark/tshark can work for you in a pinch.
Here’s the recipe for syslog.
tshark -i 2 -f "port 514" -T fields -e syslog
Using the -T fields switch allows us to specify which data to output with one or more -e switches. Since we have specified a protocol (syslog), tshark prints multiple fields, in this case its the facility(LOCAL7),severity(NOTICE), and the remainder of the output below is the actual message.
Syslog message: LOCAL7.NOTICE: 27403: Dec 23 14:44:29: %SYS-5-CONFIG_I: Configured from console by root on vty0 (10.0.2.19)
The people that wrote the dissectors in wireshark have done all the hard work of interpreting the binary fields for us. It’s worth noting that there is no documentation (that I am aware of) for the field names. I usually just capture a couple of packets and export them in PDML format. You can then open that file in any text editor and determine the field names from the XML.