Analyzing tos bits from tcpdump

Posted on 2006-03-29
Last Modified: 2013-12-16
I have one strange problem with tcpdump.
I could not see the output about the tos bits in tcpdump.
I am running the tcpdump in two different machine:
A) Linux machineA 2.6.11-1.1369_FC4
b) Linux machineB 2.4.20-8
Please take a look at following output:
[root@machineA src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:11:57.481254 202.63.x.23.1354 > 202.63.y.22: . [tcp sum ok] 641:641(0) ack 59456 win 16464 (DF) (ttl 124, id 30722, len 40)
16:11:57.613161 202.63.x.1354 > 202.63.y.22: P 641:721(80) ack 59456 win 16464 (DF) (ttl 124, id 30723, len 120)
16:11:57.613236 202.63.y.22 > 202.63.x.23.1354: P 59456:60016(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50362, len 600)
16:11:57.613270 202.63.y.22 > 202.63.x.23.1354: P 60016:60576(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50364, len 600)
16:11:57.613310 202.63.y.22 > 202.63.x.23.1354: P 60576:61136(560) ack 721 win 16320 (DF) [tos 0x10]  (ttl 64, id 50366, len 600)

[root@machineB src]# tcpdump -nn -vvvv
tcpdump: listening on eth0
16:16:58.521793 202.63.x.22 > 202.63.y.23.1356: P 513:913(400) ack 0 win 20440 (DF) (ttl 64, id 49224, len 440)
16:16:58.740496 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 913 win 16176 (DF) (ttl 128, id 31118, len 40)
16:16:58.740508 202.63.y.6.22 > 202.63.x.23.1356: P 913:1313(400) ack 0 win 20440 (DF) (ttl 64, id 49225, len 440)
16:16:58.959210 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1313 win 17520 (DF) (ttl 128, id 31119, len 40)
16:16:58.959223 202.63.y.22 > 202.63.x.23.1356: P 1313:1713(400) ack 0 win 20440 (DF) (ttl 64, id 49226, len 440)
16:16:59.177924 202.63.x.23.1356 > 202.63.y.6.22: . [tcp sum ok] 0:0(0) ack 1713 win 17120 (DF) (ttl 128, id 31120, len 40)
16:16:59.177934 202.63.y.6.22 > 202.63.x.23.1356: P 1713:2113(400) ack 0 win 20440 (DF) (ttl 64, id 49227, len 440)

--- Note the tos bit on the first out put and no tos bit in second. I suspect the Linux version on my second machine MachineB does not support to display tos bit by tcpdump.

Both uses tcpdump version: tcpdump-3.7.2-7

I need to see the toss bits from tcpdump in the machineB. Please suggest what is the reason behind it. Do I need to upgrade OS in machineB?

Rajendra One
Question by:rajendraone
    LVL 4

    Author Comment

    Okay, I would like to tweak this question.
    How could I change the tos bit out from the interface ?

    LVL 1

    Accepted Solution

    If no issue, you can make use of the 'x' flag of tcpdump to get the packet header in hex. From there you can read the TOS bits.

    The only solution, that I can think of, for your second question is to make use of a kernel module. If you decide to write a module, read up on netfilter hooks.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    Title # Comments Views Activity
    Mac telnet client seems to skip part of login script? 12 38
    Best Linux Distro for this software 10 45
    Cron jobs 12 64
    AWS linux AMI 3 43
    Currently, there is not an RPM package available under the RHEL/Fedora/CentOS distributions that gives you a quick and easy way to allow PHP to interface with Oracle. As a result, I have included a set of instructions on how to do this with minimal …
    The purpose of this article is to demonstrate how we can use conditional statements using Python.
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now