[Openswan Users] Packets show up twice in tcpdump

Michael Smith msmith at cbnco.com
Tue Aug 22 17:58:13 EDT 2006


I've been using the kernel 2.6 stack with Openswan 2.4.x for a while now, 
and something's been nagging me. I just found out there's some crossover 
between the tcpdump and openswan maintainers so I figured I'd post here.

With the old KLIPS stack and the virtual interface hack in kernel 2.4, 
I could see bandwidth usage very clearly in tcpdump, iptraf, and traffic 
shaping (tc). Unencrypted packets showed up only on ipsec0 and what I saw 
in tcpdump for physical interfaces was exactly what was on the wire.

In 2.6, incoming packets show up twice when I tcpdump the physical 
interface: once as ESP, then again after decryption. Outgoing packets 
don't show up at all if they're being encrypted (!!). iptraf is 
double-counting incoming bandwidth on the physical interfaces, too. 
(outgoing is OK.)

I'm running kernel, Openswan 2.4.4, libpcap 0.7.1, and tcpdump 
3.7.2 and before I start upgrading I am curious if anyone else sees the 
same things with later versions. Does anyone understand how it will work 
with traffic shaping? With KLIPS I used to give outgoing ESP packets 
priority over normal Internet traffic on the physical interface. I haven't 
been doing that in 2.6 because I'm not sure it'll work. Ingress policing 
would probably work even less unless I can find a way to exclude the 
post-decryption packets from the bandwidth counters.


More information about the Users mailing list