[Openswan Users] Packets show up twice in tcpdump

Paul Wouters paul at xelerance.com
Tue Aug 22 21:07:06 EDT 2006

On Tue, 22 Aug 2006, Michael Smith wrote:

> I've been using the kernel 2.6 stack with Openswan 2.4.x for a while now,
> and something's been nagging me. I just found out there's some crossover
> between the tcpdump and openswan maintainers so I figured I'd post here.
> With the old KLIPS stack and the virtual interface hack in kernel 2.4,
> I could see bandwidth usage very clearly in tcpdump, iptraf, and traffic
> shaping (tc). Unencrypted packets showed up only on ipsec0 and what I saw
> in tcpdump for physical interfaces was exactly what was on the wire.
> In 2.6, incoming packets show up twice when I tcpdump the physical
> interface: once as ESP, then again after decryption. Outgoing packets
> don't show up at all if they're being encrypted (!!). iptraf is
> double-counting incoming bandwidth on the physical interfaces, too.
> (outgoing is OK.)
> I'm running kernel, Openswan 2.4.4, libpcap 0.7.1, and tcpdump
> 3.7.2 and before I start upgrading I am curious if anyone else sees the

You can run KLIPS on 2.6 kernels too and have the old behaviour back.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list