![\"The](\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/The-IP-ToS-Byte-DSCP-and-IP-ECN.jpg\" "\\"The")
<\/a>The IP ToS Byte (DSCP and IP ECN)<\/p><\/div>\n
FIRST THE ANSWER:<\/strong> – an example filtering on DSCP decimal 20 (AF22):<\/strong> – An example filtering on DSCP Hex 14 (also decimal 20 or AF22):<\/strong> When traffic is marked with a DSCP (6 bits) , TCPDUMP will interpret all 8 bits used by the ToS Byte in the IP header.<\/p>\n 1. EXAMPLE CAPTURE <\/strong><\/p>\n I set my LAN to mark traffic with DSCP 20. Notice that traffic captured showed the second byte ( or “byte offset 1” as we count from 0) of the IP header, which is set to 0x50 (hex 50).\u00a0 (This is the value of the whole ToS Byte).<\/p>\n Why 0x50 and not 0x14, which is the Hex equivalent of DSCP 20 (AF22)? 6 bits = 010100 = Decimal 20 = Hex 14 2 packets captured 2. TCPDUMP FILTER: <\/strong><\/p>\n There are two ways to filter. You can match the hex value of the entire 8 bits of the DS field, so you would need to calculate the 8-bit hex value of a six bit DSCP, like this:<\/p>\n Steelhead # tcpdump -i eth0 (ip and ip[1] & 0xfc == 0x50) \u2013vvv<\/p>\n Or you can \u201cright-shift\u201d to \u2018eliminate\u2019 the two extraneous bits (the ECN) and use the correct hex value (or decimal) of the DSCP: What this does is this:
\n(in case it is not important to understand how the filter is constructed)<\/p>\n
\ntcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 20) -vvv<\/p>\n
\ntcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 0x14) \u2013vvv
\n<\/p>\n
\nThis is because DSCP 20 (six bits = 010100) = Hex 14 but using all 8 bits of the second byte (DS field of IP header) the value is 0x50<\/p>\n
\n8 bits = 01010000 = Decimal 80 = Hex 50<\/p>\nLinux # tcpdump -i eth0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20)<\/strong>
\ntcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 300 bytes
\n11:00:20.363070 IP (tos 0x50<\/strong><\/span>, ttl 128, id 7903, offset 0, flags [DF], proto TCP (6), length 68)
\n10.63.64.165.57018 > 79.73.127.147.http: Flags [S], cksum 0x43c7 (correct), seq 1610776870, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK,Unknown Option 7601010a3f40f60005,Unknown Option 760c01,nop,eol], length 0
\n11:00:20.364257 IP (tos 0x50<\/strong><\/span>, ttl 126, id 7903, offset 0, flags [DF], proto TCP (6), length 60)
\n79.73.127.147.http > 10.63.64.165.57018: Flags [S.], cksum 0x7ca9 (correct), seq 20020520, ack 1610776871, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK,Unknown Option 760c01,nop,nop,nop,eol], length 0<\/code><\/p>\n
\n2 packets received by filter
\n0 packets dropped by kernel
\nLinux #<\/p>\n
\nLinux # tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 20) -vvv
\nOr
\nLinux # tcpdump -i eth0 (ip and (ip[1] & 0xfc) >> 2 == 0x14) \u2013vvv<\/p>\n
\n– ip[1] refers to the Head byte 1 (second byte “BYTE OFFSET 1”, the TOS byte) of the IP header
\n– & means a Bitwise “AND”
\n– 0xfc = 11111100 is the mask to use for the AND<\/p>\n
![\"IP-Header\"](\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2011\/03\/IP-Header.jpg\" "\\"IP-Header\\"")
<\/a><\/p>\n