[Openswan Users] Packets show up twice in tcpdump
cam73 at aanet.com.au
Tue Aug 22 18:52:03 EDT 2006
Michael Smith wrote:
> snip ..
> In 2.6, incoming packets show up twice when I tcpdump the physical
> interface: once as ESP, then again after decryption. Outgoing packets
> don't show up at all if they're being encrypted (!!). iptraf is
> double-counting incoming bandwidth on the physical interfaces, too.
> (outgoing is OK.)
> I'm running kernel 188.8.131.52, Openswan 2.4.4, libpcap 0.7.1, and tcpdump
> 3.7.2 and before I start upgrading I am curious if anyone else sees the
> same things with later versions. Does anyone understand how it will work
> with traffic shaping? With KLIPS I used to give outgoing ESP packets
> priority over normal Internet traffic on the physical interface. I haven't
> been doing that in 2.6 because I'm not sure it'll work. Ingress policing
> would probably work even less unless I can find a way to exclude the
> post-decryption packets from the bandwidth counters.
I noticed the same thing with 184.108.40.206.
The possibility of a problem with ingress policing had not occurred to
me, but it seems obvious once you say it.
I have not seen any description of where various things hook in, so
traffic shaping might be OK.
For outgoing, could you just try a separate class for ESP and count the
More information about the Users