It's entirely undocumented, for good reason. In case you also have a peculiar interest in RFC2385, this is what you need to do:
Not actually that hard. A successful application, with -M and the key passed to tcpdump, will show md5valid in the TCP options. An incorrect key will show md5invalid.#include <linux/tcp.h> ... struct tcp_md5sig md5sig; char *key = "foobar"; /* addr is the struck sockaddr * passed to connect(2), from getaddrinfo() or otherwise */ memcpy(&md5sig.tcpm_addr, addr, sizeof addr); md5sig.tcpm_keylen = strlen(key); memcpy(&md5sig.tcpm_key, key, md5sig.tcpm_keylen); setsockopt(sockfd, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig);