[Openswan Users] Packets show up twice in tcpdump
msmith at cbnco.com
Tue Aug 22 17:58:13 EDT 2006
I've been using the kernel 2.6 stack with Openswan 2.4.x for a while now,
and something's been nagging me. I just found out there's some crossover
between the tcpdump and openswan maintainers so I figured I'd post here.
With the old KLIPS stack and the virtual interface hack in kernel 2.4,
I could see bandwidth usage very clearly in tcpdump, iptraf, and traffic
shaping (tc). Unencrypted packets showed up only on ipsec0 and what I saw
in tcpdump for physical interfaces was exactly what was on the wire.
In 2.6, incoming packets show up twice when I tcpdump the physical
interface: once as ESP, then again after decryption. Outgoing packets
don't show up at all if they're being encrypted (!!). iptraf is
double-counting incoming bandwidth on the physical interfaces, too.
(outgoing is OK.)
I'm running kernel 184.108.40.206, Openswan 2.4.4, libpcap 0.7.1, and tcpdump
3.7.2 and before I start upgrading I am curious if anyone else sees the
same things with later versions. Does anyone understand how it will work
with traffic shaping? With KLIPS I used to give outgoing ESP packets
priority over normal Internet traffic on the physical interface. I haven't
been doing that in 2.6 because I'm not sure it'll work. Ingress policing
would probably work even less unless I can find a way to exclude the
post-decryption packets from the bandwidth counters.
More information about the Users