Analyzing tos bits from tcpdump

I have one strange problem with tcpdump.
I could not see the output about the tos bits in tcpdump.
I am running the tcpdump in two different machine:
A) Linux machineA 2.6.11-1.1369_FC4
b) Linux machineB 2.4.20-8
Please take a look at following output:
[root@machineA src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:11:57.481254 202.63.x.23.1354 > 202.63.y.22: . [tcp sum ok] 641:641(0) ack 59456 win 16464 (DF) (ttl 124, id 30722, len 40)
16:11:57.613161 202.63.x.1354 > 202.63.y.22: P 641:721(80) ack 59456 win 16464 (DF) (ttl 124, id 30723, len 120)
16:11:57.613236 202.63.y.22 > 202.63.x.23.1354: P 59456:60016(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50362, len 600)
16:11:57.613270 202.63.y.22 > 202.63.x.23.1354: P 60016:60576(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50364, len 600)
16:11:57.613310 202.63.y.22 > 202.63.x.23.1354: P 60576:61136(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50366, len 600)

[root@machineB src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:16:58.521793 202.63.x.22 > 202.63.y.23.1356: P 513:913(400) ack 0 win 20440 (DF) (ttl 64, id 49224, len 440)
16:16:58.740496 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 913 win 16176 (DF) (ttl 128, id 31118, len 40)
16:16:58.740508 202.63.y.6.22 > 202.63.x.23.1356: P 913:1313(400) ack 0 win 20440 (DF) (ttl 64, id 49225, len 440)
16:16:58.959210 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1313 win 17520 (DF) (ttl 128, id 31119, len 40)
16:16:58.959223 202.63.y.22 > 202.63.x.23.1356: P 1313:1713(400) ack 0 win 20440 (DF) (ttl 64, id 49226, len 440)
16:16:59.177924 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1713 win 17120 (DF) (ttl 128, id 31120, len 40)
16:16:59.177934 202.63.y.6.22 > 202.63.x.23.1356: P 1713:2113(400) ack 0 win 20440 (DF) (ttl 64, id 49227, len 440)

--- Note the tos bit on the first out put and no tos bit in second. I suspect the Linux version on my second machine MachineB does not support to display tos bit by tcpdump.

Both uses tcpdump version: tcpdump-3.7.2-7

I need to see the toss bits from tcpdump in the machineB. Please suggest what is the reason behind it. Do I need to upgrade OS in machineB?

Rajendra One
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rajendraoneAuthor Commented:
Okay, I would like to tweak this question.
How could I change the tos bit out from the interface ?

If no issue, you can make use of the 'x' flag of tcpdump to get the packet header in hex. From there you can read the TOS bits.

The only solution, that I can think of, for your second question is to make use of a kernel module. If you decide to write a module, read up on netfilter hooks.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.