Jonathan Morton <chromatix99@gmail.com> wrote:
    >> On 24 Mar, 2019, at 12:05 pm, Pete Heist <pete@heistp.net> wrote:
    >> 
    >> tcpdump -r file.pcap udp port 2112 and greater 80 and "ip[1] != 0x1”
    >> 
    >> “greater 80” ignores the handshake packets and 0x1 is whatever TOS
    >> value we want to make sure the packets contain. We can use different
    >> filters for other traffic.

    > Bear in mind that the TOS byte contains ECN as well as DSCP fields, and
    > the latter is left-justified.

libpcap should probably learn about DSCN bits to avoid people having to
think so much :-)

Send patches to me/github.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [