What is tos field in ip header used for and can it be used for reliable data delivery?

People using NetFlow Analyzer might wonder, What do these reports about DSCP and ToS actually mean? In this blog, we’ll explain these fields in detail.

Table of Contents Show

Type of Service (ToS)[edit]
Differentiated services fields (DS field)[edit]
The DSCP and The ToS Byte Values[edit]
Iptables & ToS & DSCP Values[edit]
See also[edit]

The NetFlow packets exported from the device originally contain ToS value on each flow. Analysis software derives the DSCP from the ToS value.

Type of Service (ToS)

The ToS field, originally defined in RFC 791, is present in the IP header.

The ToS octet consists of three fields. The last 3 bits (7, 6, 5) are for the first field, labeled “Precedence,” intended to denote the importance or priority of the datagram. The second field, labeled “TOS,” denotes how the network should make tradeoffs between throughput, delay, reliability, and cost. The first field, labeled “MBZ” (for “must be zero”) above, is currently unused. The originator of a datagram sets this field to zero (unless participating in an Internet protocol experiment which makes use of that bit). Routers and recipients of datagrams ignore the value of this field. This field is copied on fragmentation.

Differentiated Services Code Point (DSCP)

The definition of ToS was changed entirely in RFC 2474, and it is now called Differentiated Service (DS). On the eight fields, the upper six bit contain value called Differentiated Services Code Point (DSCP). The last two bits are used for Explicit Congestion Notification and it is defined in RFC 3168.

Interpretation of ToS and DSCP fields

DSCP interpretation (RFC 2474)

RFC 791 and RFC 1349

In DSCP, the most significant three bits are directly proportional to IP Precedence. Below is a DSCP to IP Precedence conversion table.

DSCP Name	DS Field Value	IP Precedence
	Binary	Decimal
CS0	000 000	0	0
CS1	001 000	8	1
AF11	001 010	10	1
AF12	001 100	12	1
AF13	001 110	14	1
CS2	010 000	16	2
AF21	010 010	18	2
AF22	010 100	20	2
AF23	010 110	22	2
CS3	011 000	24	3
AF31	011 010	26	3
AF32	011 100	28	3
AF33 </t d>	011 110	30	3
CS4	100 000	32	4
AF41	100 010	34	4
AF42	100 100	36	4
AF43	100 110	38	4
CS5	101 000	40	5
EF	101 110	46	5
CS6	110 000	48	6
CS7	111 000	56	7

NetFlow Analyzer’s DSCP and ToS reports

NetFlow Analyzer reports on both DSCP and ToS. The DSCP report generated from NetFlow Analyzer will show each DSCP marking traffic utilization and application and conversation marked for DSCP.

The ToS report shows corresponding ToS values for each DSCP.

Reference: http://bogpeople.com/networking/dscp.shtml

Learn what QoS baselines Cisco recommends.

Download a 30-day, free trial of NetFlow Analyzer.

Download | Interactive demo | Customers

Internet Protocol network packets can have one byte in the IP header defining what kind of service (and priority) the packet contains. The same one byte is used for both Type of Service (ToS) classifications and differentiated services code point (DSCP) values.

The Type of Service byte was defined in 1981. The differentiated services code point (DSCP) byte was later defined in December 1998. Both share the same byte in the IP packet header so they are the exact same field even though the byte is interpenetrated as meaning different things depending on how you look at the byte.

Type of Service (ToS)[edit]

The ToS (Type of Service) byte inside the IP header can be used for prioritization of packets inside a network. The field was defined in the RFC 791 IP protocol specification published in September 1981.

The Type of Service octet consists of three fields (RFC 1349):

0 1 2 3 4 5 6 7 +-----+-----+-----+-----+-----+-----+-----+-----+ | | | | | PRECEDENCE | TOS | MBZ | | | | | +-----+-----+-----+-----+-----+-----+-----+-----+

The first 3 bits of a ToS field indicate precedence.

The 4th bit is used to signal if low delay is desired and required
The 5th bit indicates if high throughput is desired.
The 6th bit indicates if high reliability is desired.
The 7th and 8th bits are reserved

Differentiated services fields (DS field)[edit]

Everyone was happy with good old simple Type of Service codes until RFC 2474 defined a Differentiated Services Field (DS Field) using the IP protocols Type of Service byte in December 1998.

The differentiated services code point (DSCP) values are defined by the first six bits of the DSCP/ToS byte. The last two bits can and are being used for ECN (Explicit Congestion Notification) as defined in RFC 3168.

DSCP defines several traffic classes. The primary DSCP classes are, per RFC 4594, and RFC 8622:

Lower-Effort (LE)
Default Forwarding (DF)
Assured Forwarding (AF)
Expedited Forwarding (EF)
Class Selector (CS)

Higher numbered queues within the "Assured Forwarding" sub-classes have lower priority. (AF41 has a higher priority than AF42). However, AF21-AF23 will have a higher priority than AF11-AF13.

The "Class Selector" values select class types, not priority.

The DSCP and The ToS Byte Values[edit]

Service class names are defined in RFC 4594, RFC 5865, and RFC 8622.

DSCP, DiffServ and hexadecimal ToS values

DSCP Name	DS Field Binary	DS Field Decimal	DS Hex	TOS Prec-edence (dec)	ToS Hex-adecimal	ToS Decimal	ToS Binary	iptables ToS name	Service Class Name
DF / CS0	000 000	0	0x00	0	0x00	0	0000 0000	Normal-Service	Standard
none	-	-	-	0	0x02	2	0000 0010	Minimize-Cost
none	000 001	1	0x01	0	0x04	4	0000 0100	Maximize-Reliability
LE	000 001	1	0x01	0	0x04	4	0000 0100		Lower-Effort
none	000 010	2	0x02	0	0x08	8	0000 1000	Maximize-Throughput
none	000 100	4	0x04	0	0x10	16	0001 0000	Minimize-Delay
CS1	001 000	8	0x08	1	0x20	32	0000 1000		Low-Priority Data
AF11	001 010	10	0x0a	1	0x28	40	0010 1000		High-Throughput Data
AF12	001 100	12	0x0c	1	0x30	48	0011 0000		High-Throughput Data
AF13	001 110	14	0x0e	1	0x38	56	0011 1000		High-Throughput Data
CS2	010 000	16	0x10	2	0x40	64	0100 0000		OAM
AF21	010 010	18	0x12	2	0x48	72	0100 1000		Low-Latency Data
AF22	010 100	20	0x14	2	0x50	80	0101 0000		Low-Latency Data
AF23	010 110	22	0x16	2	0x58	88	0101 1000		Low-Latency Data
CS3	011 000	24	0x18	3	0x60	96	0110 0000		Broadcast Video
AF31	011 010	26	0x1a	3	0x68	104	0110 1000		Multimedia Streaming
AF32	011 100	28	0x1c	3	0x70	112	0111 0000		Multimedia Streaming
AF33	011 110	30	0x1e	3	0x78	120	0111 1000		Multimedia Streaming
CS4	100 000	32	0x20	4	0x80	128	1000 0000		Real-Time Interactive
AF41	100 010	34	0x22	4	0x88	136	1000 1000		Multimedia Conferencing
AF42	100 100	36	0x24	4	0x90	144	1001 0000		Multimedia Conferencing
AF43	100 110	38	0x26	4	0x98	152	1001 1000		Multimedia Conferencing
CS5	101 000	40	0x28	5	0xa0	160	1010 0000		Signaling (IP Telephony, etc)
voice-admit	101 100	44	0x2c	5	0xb0	176	1011 0000
EF	101 110	46	0x2e	5	0xb8	184	1011 1000		Telephony
CS6	110 000	48	0x30	6	0xc0	192	1100 0000		Network Routing Control
CS7	111 000	56	0x38	7	0xe0	224	1110 0000		"Reserved"

Home users who want to set the DSCP fields (even though the ISP will likely not care) may want to use these classes for QoS queues:

QoS queue	Traffic Type	DSCP Class
1	SYN, ACK, immediate delivery	AF21
2	SSH, VOIP, DNS	AF22
3	Default queue, WWW server(s)	AF23
4	Tor node	AF11
5	Bitcoin node	LE
6	Bulk (BitTorrent etc)	LE

Iptables & ToS & DSCP Values[edit]

Iptables and some older routers, notably from Cisco, use an old older ToS scheme defined in RFC 1349 where bits 0 to 2 are "precedence" and 3 to 6 define Type of Service (4 bytes). It lets you use 5 pre-defined ToS named (aliases) to set the ToS byte using its --set-tos option. You can also use hex values 0x00-0xFF or a decimal numbes between 0-255. The names you can use with Iptables are:

name	decimal	hex	bin
Minimize-Delay	16	0x10	1000
Maximize-Throughput	8	0x08	0100
Maximize-Reliability	4	0x04	0010
Minimize-Cost	2	0x02	0001
Normal-Service	0	0x00	0000

You can print the above list with iptables -j TOS -h.

Changing the ToS field will also change the Differentiated Services Fields (DS field) since they are the same field.

Setting the ToS field to Minimize-Cost will change bit 6. Bit 6 and 7 are are DSCP ECN bits! Be aware of this side-effect when you -j TOS --set-tos using iptables! A precedence of 3 with the Minimize-Cost value will look like this:

0 1 2 3 4 5 6 7 +-----+-----+-----+-----+-----+-----+-----+-----+ | | | | | PRECEDENCE | TOS | MBZ | | | | | +-----+-----+-----+-----+-----+-----+-----+-----+ 1 1 0 0 0 0 1 0

That's not good since the last two bytes are defined as ECN (Explicit Congestion Notification) bits within the Differentiated services specification.

You should avoid using -j TOS --set-tos using the outdated ToS values. However, you can if you really want to, you have our permission:

IF=br0 iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o ${IF} -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 32680 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A MYSHAPER-OUT -p udp --sport 32680 -j TOS --set-tos Maximize-Throughput

The above example would mark all traffic from the source-port 32680 going out of br0 as Maximize-Throughput (0x08).

iptables can also set the DSCP field. This is what you want to set even if Type-of-service is what you think you want.

The DSCP field can be set with either -j DSCP --set-dscp decimal-or-hex-value or -j DSCP --set-dscp-class DiffServ-class-value. See the table below for possible --set-dscp-class values. iptables will accept BE, EF and any of the CSxx and AFxx classes.

IF=br0 iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o ${IF} -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 32680 -j DSCP --set-dscp-class AF13 iptables -t mangle -A MYSHAPER-OUT -p udp --sport 32680 -j DSCP --set-dscp-class AF13