A Closer Look at UDP (User Datagram Protocol) Sessions
For many network and security professionals, analyzing network packets for trouble-shooting and security investigation is a daily routine. One of the most common actions in the analysis is to “follow” a TCP session: display all the packets belonging to a TCP session.
It's well known that a TCP session consists of all the TCP packets that have the same tuple: from a client IP and port to a server IP and port or, conversely, from a server IP and port to a client IP and port. For a UDP session, many professionals will likely think that the same principle will work for UDP, just as in the case of TCP, but unfortunately, that is not the case. A UDP session is only defined by the client IP and port. As a result, packets from the same UDP session can be to/from different server IP and port pairs.
Super graphic and discussion from https://elguber.wordpress.com/
Some readers may wonder why this communication method for UDP sessions is the way it is. The answer lies in the network programming: when an application needs to communicate using UDP, it will bind to a local IP and port. After the binding, this socket can send to and receive from any server and port pair. In other words, all the packets from/to the local IP and port will be relevant to the same UDP-based application.
With this understanding, let's look at two network scenarios.