[Openswan Users] Packets show up twice in tcpdump
msmith at cbnco.com
Tue Aug 22 21:43:30 EDT 2006
On Tue, 22 Aug 2006, Andy Gay wrote:
> Seeing the incoming packet twice is normal. It passes the hook that
> tcpdump sees twice, before and after decryption. But you should
> certainly see the outgoing esp packet. It works for me - this is a trace
> of 2 pings and their replies, using 220.127.116.11, tcpdump version 3.9.4,
> libpcap version 0.9.4
OK, right. It's the unencrypted outgoing packet that you don't see.
> > Ingress policing
> > would probably work even less unless I can find a way to exclude the
> > post-decryption packets from the bandwidth counters.
> Match those as (not protocol 50)....
> Doesn't seem that hard. Maybe I'm missing something.
(not protocol 50) also matches traffic that was never IPsec'd in the first
place. Both IPsec and non-IPsec traffic pass over the same interface and
I'd like to prioritize the IPsec stuff.
More information about the Users