| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Jan 2013 16:34:04 +0100 (CET) From: "pupilla@...ero.it" <pupilla@...ero.it> To: <jengelh@...i.de> Cc: <netdev@...r.kernel.org> Subject: R: Re: R: Re: mtu issue with ipsec tunnel and netfilter snat jengelh@...i.de wrote >On Thursday 2013-01-10 17:46, pupilla@...ero.it wrote: > >>jengelh@...i.de wrote: >>>> >>>>But why linux_gw_snat is not sending icmp need to frag packets to >>>>10.148.12.23? >>> >>>Perhaps because ICMP was blocked erroneously? >> >>well, I don't see the icmp packets because tcpdump 'see' only the >>incoming ipsec clear packets. Is there a way to see the outgoing clear >>ipsec packets with tcpdump? > >Not with AF_PACKET sockets (tcpdump uses such), but you could with >iptables -j LOG, NFLOG and TRACE they can be made visible. If you need >the full packet, you can either patch up LOG to call the kernel hexdump >functions, or use NFLOG - I think - to deliver it to any userspace >program to do further processing. If all else fails, there is also >NFQUEUE with which the packet can also be copied to userspace. > Thanks for the reply. I have saved the esp packets with tcpdump and then decrypted with wireshark. Indeed, the icmp need to frag packets are being sent by the linux ipsec gateway. Thanks for support. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists