So I left this for a while (1h+):
tcpdump -i enp9s0 udp port 28967 -XAvvv &>/tmp/udp.dump
and here is what I got:
[root@localhost ~]# grep -Po "(?<=\s)\S+(?=\.\d+\s\>)" /tmp/udp.dump | grep -v localhost | sort | uniq -c | sort -k1nr
Just few sources and not so much traffic. What does this mean and how/when exactly is UDP involved in upload/download process?
Depending on settings, any connections between satellites, uplinks, and nodes may be attempted with QUIC (over UDP) and TLS (over TCP) at the same time. If a connection is fully established with QUIC/UDP first, then we use that connection and the TLS/TCP connection attempt is aborted. If instead the TLS/TCP connection is fully established first, then we use that connection and the QUIC/UDP connection attempt is aborted.
So, if UDP packets can be exchanged more quickly between the remote host and your node, you will see many more UDP packets. If UDP packets are generally exchanged more slowly with your node, you will see many more TCP packets. And of course, if UDP packets are blocked somewhere between the remote host and your node, or if the client is configured not to try UDP connections, you won’t see those packets at all.