[Openswan Users] Packets show up twice in tcpdump

[Cameron Davidson]

Michael Smith wrote:
> Hi,
> 
> snip  ..
> 
> In 2.6, incoming packets show up twice when I tcpdump the physical 
> interface: once as ESP, then again after decryption. Outgoing packets 
> don't show up at all if they're being encrypted (!!). iptraf is 
> double-counting incoming bandwidth on the physical interfaces, too. 
> (outgoing is OK.)
> 
> I'm running kernel 2.6.11.11, Openswan 2.4.4, libpcap 0.7.1, and tcpdump 
> 3.7.2 and before I start upgrading I am curious if anyone else sees the 
> same things with later versions. Does anyone understand how it will work 
> with traffic shaping? With KLIPS I used to give outgoing ESP packets 
> priority over normal Internet traffic on the physical interface. I haven't 
> been doing that in 2.6 because I'm not sure it'll work. Ingress policing 
> would probably work even less unless I can find a way to exclude the 
> post-decryption packets from the bandwidth counters.
> 
> Thanks,
> Mike

Mike,
I noticed the same thing with 2.6.16.18.
The possibility of a problem with ingress policing had not occurred to 
me, but it seems obvious once you say it.
I have not seen any description of where various things hook in, so 
traffic shaping might be OK.
For outgoing, could you just try a separate class for ESP and count the 
packets through?

Cameron.