Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Oct 18, 2017 5:12 pm


TCPdump & Wireshark tips & tricks - Different how-tos and some information I find interesting about the two most famous traffic analysis tools.

Author Message
admin
  Post  Post subject: Tcpdump: How to to capture only IP packets with specific DSCP class in IP header  |  Posted: Wed Apr 10, 2013 8:59 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 101

Offline
 

Tcpdump: How to to capture only IP packets with specific DSCP class in IP header

Tcpdump filtering based on DSCP field in IP header.

DSCP stands for "DIfferentiated Services Code Point" and it refers to second byte in IP header (TOS - Type Of Service ip[1]), specifically to first 6 bits in this byte (last 2 are ECN).

By looking at the DSCP code point table (http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-class-of-service/default-cos-section.html), let's say we want to capture only those packets with "ef" (expedited forwarding) forwarding class.


Quote:
ef 101110



So the first 6 bits of the second byte of the IP header are "101110" and the last two bits we want to ignore in tcpdump. For this we apply binary "AND" operation of the all 8 bits with 0xfc (11111100).

Code:
# tcpdump -nni eth1 -v 'ip[1] & 0xfc == 184'


184 = decimal of 101110 (DSCP)00(last 2 bits).

The above means that result of any combination of 8bits to which we apply logical AND to the binary value 11111100 results 10111000 (184).

Example of such a packet:
Code:
# tcpdump -nni eth1 -v 'ip[1] & 0xfc == 184'
12:56:49.690239 IP (tos 0xb8, ttl 63, id 44823, offset 0, flags [DF], proto TCP (6), length 40)
    28.32.179.11.80 > 61.219.73.106.61244: Flags [F.], cksum 0xdac1 (correct), seq 2799324281, ack 4189664666, win 108, length 0


The ToS field is 0xb8 which is binary for "10111000" or decimal 184.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Tcpdump: How to to capture only IP packets with specific DSCP class in IP header"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Tcpdump filter packets with specified ip identification in ip header

mandrei99

0

2743

Wed Jan 14, 2015 5:15 am

mandrei99 View the latest post

There are no new unread posts for this topic. tcpdump: How to capture frames with specific source destination mac address

mandrei99

0

16180

Mon Jan 12, 2015 10:36 am

mandrei99 View the latest post

There are no new unread posts for this topic. Tcpdump: How to to capture only ICMP Fragmentation needed notifications

mandrei99

0

4935

Thu Aug 22, 2013 6:50 am

mandrei99 View the latest post

There are no new unread posts for this topic. Tcpdump: How to to capture only ICMP (ping) echo requests

mandrei99

0

130936

Thu Aug 22, 2013 6:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. Tcpdump: How to to capture only ICMP (ping) echo replies

mandrei99

0

196

Thu Aug 22, 2013 6:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. tcpdump -xx -XX - dump packet header and data in hex and ASCII format

admin

0

8138

Thu Mar 19, 2015 5:33 am

admin View the latest post

There are no new unread posts for this topic. Tcpdump - dump HTTP headers as ASCII and HEX

mandrei99

2

16493

Wed Jun 29, 2016 10:34 am

admin View the latest post

There are no new unread posts for this topic. Tcpdump icmp practical examples filtering on icmp type field and icmp code field

mandrei99

0

4482

Wed Jan 14, 2015 5:00 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO