I've used 1.3 and 2.0 but neither gives me any "old" UDP artifacts. I know they are there because I have the pcap, so I am looking for them in memory.
 
 
Can someone tell me the format of a UDP artifact in memory please?
 
For example I'm looking for
from a connection  UDP 192.168.136.129:1044 to 204.13.161.100:6600
 
I'm looking at
 
11  83  89   CO A8 88 81   CC 0D A1 64   04 14   19 C8
 
that looks like
 
UDP  Unk  Unk   192.168.136.129   204.13.161.100   1044   6600
 
The "Unk" means I don't know what they are (the 83 (seems to be constant) and 89 (changes slightly)).
 
I've found this in the kernel
01fb5017 [kernel:2180730903] UDP to 204.13.161.100
 
This may just be a parameter block that is passed to the OS, but it does show that there was such a packet sent.
 
Tell me what I need to be looking for if I am in the wrong place.
 
Thanks,
Mike