[vpn-help] tcpdump not showing traffic for tap0

Matthew Grooms mgrooms at shrew.net
Wed Apr 27 01:14:22 CDT 2011 

On 3/21/2011 8:42 PM, Dugen 42 wrote:
> I'm having an interesting problem which seems different from ones I have
> read about and it may be a bug with the tap/tun device driver or it may
> be something stupid I'm doing wrong but I can't figure out what it might
> be.
>
> To start with, my VPN works.  I imported from a cisco pcf file.  It
> configures a tap0 interface, assigns an IP.  It's passing traffic.  DNS
> resolution is working.  Pings work.  Web pages load.  Everything seems
> fine, but if I run "tcpdump -i tap0" it sees nothing even when the VPN
> is passing traffic.
>
> Here's the interesting thing.. when I run "tcpdump -i any icmp -n -e" to
> snoop all interfaces for ICMP traffic, then ping something over the VPN,
> I see incoming traffic, but the MAC address listed on the traffic shows
> it going to my eth0 MAC address.  Double checking with "tcpdump -i eth0"
> I see the incoming VPN packets (not encoded.. actual ICMP packets with
> source being the machine I'm pinging and the destination being the
> tap0's configured IP.)   It's as if the kernel is getting the packets
> but it thinks they are coming in from eth0.
>
> I can't find a way to see the outgoing traffic at all. "tcpdump -i any"
> doesn't see it, nor does looking at tap0 or lo.  This seems impossible,
> and yet I've run into it on two installs. One is Ubuntu 10.04 and the
> other is 10.10.  I installed the 10.10 clean just to test this.  I'm
> using Shrewsoft 2.1.7 I compiled myself and I had to turn off the
> rp_filter stuff in /etc/sysctl.conf (which itslef might be an indication
> of an issue) but I'm using all the stock Ubuntu stuff outside of that.
> I'm not above installing other OSs if this is a known issue with Ubuntu
> but I can't see how it would be.
>
> I ran into this problem because I'm trying to set up the interface to
> masquerade and it looks like it's working for the outgoing packets, but
> the incoming packets aren't being translated back.  I'm guessing it's
> not just tcpdump that this problem is affecting.
>
> Is this a known issue?  Does tcpdump actually work for most people on tap0?
>

Sorry for the delayed response. The short answer to your question is 
that IPsec is a strange animal. The problem you are seeing is actually 
by-design WRT the way IPsec hooks into the kernel. The outbound packets 
are being picked up by the kernel before they are actually transmitted 
on the virtual tap0 interface since they match a security policy. An 
inbound packet is seen because it has already been processed by IPsec. 
The reason it appears on eth0 is because the pre-IPsec-processed packet 
was received on that interface.

This is the very reason why BSD systems ( and possibly linux ) have an 
optional pseudo interface used specifically for inspection or filtering 
of IPsec related packets etc ...

http://www.unix.com/man-page/FreeBSD/4/if_enc/

-Matthew

More information about the vpn-help mailing list