Analyzing tos bits from tcpdump

Posted on 2006-03-29
Medium Priority
Last Modified: 2013-12-16
I have one strange problem with tcpdump.
I could not see the output about the tos bits in tcpdump.
I am running the tcpdump in two different machine:
A) Linux machineA 2.6.11-1.1369_FC4
b) Linux machineB 2.4.20-8
Please take a look at following output:
[root@machineA src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:11:57.481254 202.63.x.23.1354 > 202.63.y.22: . [tcp sum ok] 641:641(0) ack 59456 win 16464 (DF) (ttl 124, id 30722, len 40)
16:11:57.613161 202.63.x.1354 > 202.63.y.22: P 641:721(80) ack 59456 win 16464 (DF) (ttl 124, id 30723, len 120)
16:11:57.613236 202.63.y.22 > 202.63.x.23.1354: P 59456:60016(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50362, len 600)
16:11:57.613270 202.63.y.22 > 202.63.x.23.1354: P 60016:60576(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50364, len 600)
16:11:57.613310 202.63.y.22 > 202.63.x.23.1354: P 60576:61136(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50366, len 600)

[root@machineB src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:16:58.521793 202.63.x.22 > 202.63.y.23.1356: P 513:913(400) ack 0 win 20440 (DF) (ttl 64, id 49224, len 440)
16:16:58.740496 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 913 win 16176 (DF) (ttl 128, id 31118, len 40)
16:16:58.740508 202.63.y.6.22 > 202.63.x.23.1356: P 913:1313(400) ack 0 win 20440 (DF) (ttl 64, id 49225, len 440)
16:16:58.959210 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1313 win 17520 (DF) (ttl 128, id 31119, len 40)
16:16:58.959223 202.63.y.22 > 202.63.x.23.1356: P 1313:1713(400) ack 0 win 20440 (DF) (ttl 64, id 49226, len 440)
16:16:59.177924 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1713 win 17120 (DF) (ttl 128, id 31120, len 40)
16:16:59.177934 202.63.y.6.22 > 202.63.x.23.1356: P 1713:2113(400) ack 0 win 20440 (DF) (ttl 64, id 49227, len 440)

--- Note the tos bit on the first out put and no tos bit in second. I suspect the Linux version on my second machine MachineB does not support to display tos bit by tcpdump.

Both uses tcpdump version: tcpdump-3.7.2-7

I need to see the toss bits from tcpdump in the machineB. Please suggest what is the reason behind it. Do I need to upgrade OS in machineB?

Rajendra One
Question by:rajendraone

Author Comment

ID: 16320085
Okay, I would like to tweak this question.
How could I change the tos bit out from the interface ?


Accepted Solution

jainrah earned 500 total points
ID: 16396007
If no issue, you can make use of the 'x' flag of tcpdump to get the packet header in hex. From there you can read the TOS bits.

The only solution, that I can think of, for your second question is to make use of a kernel module. If you decide to write a module, read up on netfilter hooks.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month15 days, 22 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question