We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Analyzing tos bits from tcpdump

rajendraone asked
Medium Priority
Last Modified: 2013-12-16
I have one strange problem with tcpdump.
I could not see the output about the tos bits in tcpdump.
I am running the tcpdump in two different machine:
A) Linux machineA 2.6.11-1.1369_FC4
b) Linux machineB 2.4.20-8
Please take a look at following output:
[root@machineA src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:11:57.481254 202.63.x.23.1354 > 202.63.y.22: . [tcp sum ok] 641:641(0) ack 59456 win 16464 (DF) (ttl 124, id 30722, len 40)
16:11:57.613161 202.63.x.1354 > 202.63.y.22: P 641:721(80) ack 59456 win 16464 (DF) (ttl 124, id 30723, len 120)
16:11:57.613236 202.63.y.22 > 202.63.x.23.1354: P 59456:60016(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50362, len 600)
16:11:57.613270 202.63.y.22 > 202.63.x.23.1354: P 60016:60576(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50364, len 600)
16:11:57.613310 202.63.y.22 > 202.63.x.23.1354: P 60576:61136(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50366, len 600)

[root@machineB src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:16:58.521793 202.63.x.22 > 202.63.y.23.1356: P 513:913(400) ack 0 win 20440 (DF) (ttl 64, id 49224, len 440)
16:16:58.740496 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 913 win 16176 (DF) (ttl 128, id 31118, len 40)
16:16:58.740508 202.63.y.6.22 > 202.63.x.23.1356: P 913:1313(400) ack 0 win 20440 (DF) (ttl 64, id 49225, len 440)
16:16:58.959210 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1313 win 17520 (DF) (ttl 128, id 31119, len 40)
16:16:58.959223 202.63.y.22 > 202.63.x.23.1356: P 1313:1713(400) ack 0 win 20440 (DF) (ttl 64, id 49226, len 440)
16:16:59.177924 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1713 win 17120 (DF) (ttl 128, id 31120, len 40)
16:16:59.177934 202.63.y.6.22 > 202.63.x.23.1356: P 1713:2113(400) ack 0 win 20440 (DF) (ttl 64, id 49227, len 440)

--- Note the tos bit on the first out put and no tos bit in second. I suspect the Linux version on my second machine MachineB does not support to display tos bit by tcpdump.

Both uses tcpdump version: tcpdump-3.7.2-7

I need to see the toss bits from tcpdump in the machineB. Please suggest what is the reason behind it. Do I need to upgrade OS in machineB?

Rajendra One
Watch Question


Okay, I would like to tweak this question.
How could I change the tos bit out from the interface ?

If no issue, you can make use of the 'x' flag of tcpdump to get the packet header in hex. From there you can read the TOS bits.

The only solution, that I can think of, for your second question is to make use of a kernel module. If you decide to write a module, read up on netfilter hooks.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.