When running tcpdump on an interface when IP masquerading is in
use, tcpdump doesn't necessarily show the packet as it appears
on the wire.
In particular, incoming packets are displayed after the destination
IP address and TCP port number have been translated back to their
local values. On the other hand, masqueraded outbound packets are
shown correctly, after translation to external form.
If the purpose of tcpdump is to show what is actually being sent or
received on the specified interface, then the behavior on incoming
packets is arguably incorrect.
Here is a TCP connection trace that illustrates the problem:
13:50:29.660332 dt6h3n9a.san.rr.com.61469 > proxye1-atm.san.rr.com.nntp:
S 1386724028:1386724028(0) win 49152 <mss 1448,nop,wscale
0,nop,nop,timestamp[|tcp]> [tos 0x10] (ttl 63, id 34118)
13:50:29.670331 proxye1-atm.san.rr.com.nntp > homer.ka9q.ampr.org.1598:
S 3068138724:3068138724(0) ack 1386724029 win 8576 <mss 536> (DF) (ttl
252, id 42413)
13:50:29.670331 dt6h3n9a.san.rr.com.61469 > proxye1-atm.san.rr.com.nntp:
. ack 3068138725 win 49312 [tos 0x10] (ttl 63, id 34119)
In this case, dt6h3h9a.san.rr.com is the name on the Linux router's
external interface and homer.ka9q.ampr.org is the name of the internal
host whose packets are being masqueraded through the Linux router. The
first and third packets are shown as they actually appear on the wire,
while the second packet is shown after translation.
Phil
----- End of forwarded message from Phil Karn -----
--
Debian GNU/Linux 1.3 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@greathan.apana.org.au>
Home Page: http://greathan.apana.org.au/~herbert/
PGP Key: http://greathan.apana.org.au/~herbert/pubkey.txt