[Openswan Users] Packets show up twice in tcpdump

Michael Smith msmith at cbnco.com
Tue Aug 22 21:43:30 EDT 2006

On Tue, 22 Aug 2006, Andy Gay wrote:

> Seeing the incoming packet twice is normal. It passes the hook that
> tcpdump sees twice, before and after decryption. But you should
> certainly see the outgoing esp packet. It works for me - this is a trace
> of 2 pings and their replies, using, tcpdump version 3.9.4,
> libpcap version 0.9.4

OK, right. It's the unencrypted outgoing packet that you don't see.

> >  Ingress policing 
> > would probably work even less unless I can find a way to exclude the 
> > post-decryption packets from the bandwidth counters.
> Match those as (not protocol 50)....
> Doesn't seem that hard. Maybe I'm missing something.

(not protocol 50) also matches traffic that was never IPsec'd in the first 
place. Both IPsec and non-IPsec traffic pass over the same interface and 
I'd like to prioritize the IPsec stuff.


More information about the Users mailing list