[Openswan Users] Packets show up twice in tcpdump

Andy Gay andy at andynet.net
Tue Aug 22 22:39:28 EDT 2006

On Tue, 2006-08-22 at 21:43 -0400, Michael Smith wrote:
> On Tue, 22 Aug 2006, Andy Gay wrote:
> > Seeing the incoming packet twice is normal. It passes the hook that
> > tcpdump sees twice, before and after decryption. But you should
> > certainly see the outgoing esp packet. It works for me - this is a trace
> > of 2 pings and their replies, using, tcpdump version 3.9.4,
> > libpcap version 0.9.4
> OK, right. It's the unencrypted outgoing packet that you don't see.
> > >  Ingress policing 
> > > would probably work even less unless I can find a way to exclude the 
> > > post-decryption packets from the bandwidth counters.
> > Match those as (not protocol 50)....
> > Doesn't seem that hard. Maybe I'm missing something.
> (not protocol 50) also matches traffic that was never IPsec'd in the first 
> place. Both IPsec and non-IPsec traffic pass over the same interface and 
> I'd like to prioritize the IPsec stuff.

Mark the incoming ESP packets using netfilter/iptables. The decrypted
packets will still be marked. You can use the mark to select packets to
prioritize, I believe.

With kernel 2.6.16 and above, you can also match on ipsec policy in
iptables, that may be useful here.

> Mike

More information about the Users mailing list