Eugene Grosbein wrote: > 19.01.2020 14:12, Victor Sudakov wrote: > > > So this is most probably the artifact of if_enc. What is then the > > correct way to capture data with it? > > This is documented behaviour of enc(4), see its manual page for description > of sysctl net.enc.{in|out}.ipsec_bpf_mask
This description does not make much sense to me, there is neigher "inner header" nor "outer header" in transport mode. By trial and error I've figured out that "net.enc.out.ipsec_bpf_mask=1" is probably the answer. At least ICMP requests and replies are not duplicated any more. I still see lots of "dup ACKs" in Wireshark though. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature