tcpdump not capturing loopback interface traffic

[Scott McGillivray <fourlightson () hotmail com>]

Hi

I am using Debian squeeze with tcpdump version 4.1.1 with libpcap version 1.1.1 and i'm having problems capturing 
traffic from loopback interface lo. I use tcpdump -i lo -vv.

I have the server setup with stunnel running in transparent mode which i believe uses a tproxy'ish setup since it needs 
the below code. 

iptables -t mangle -N DIVERT
    

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
    

iptables -t mangle -A DIVERT -j MARK --set-mark 1
    

iptables -t mangle -A DIVERT -j ACCEPT
    



ip rule add fwmark 1 lookup 100
    

ip route add local 0.0.0.0/0 dev lo table 100
    

echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter

This all works fine and as part of my setup i need to mark packets as they leave interface lo so i do iptables -t 
mangle -A OUTPUT -o lo -p tcp -j MARK --set-mark 2 and this marks the packets fine. If i log/trace these packets i can 
see them in /var/log/messages. For example

debian kernel: [76198.428894] ---[MANGLE (OUTPUT)]:--- IN= OUT=lo SRC=10.0.0.10 DST=10.0.0.100 LEN=60 TOS=0x00 
PREC=0x00 TTL=64 ID=63684 DF PROTO=TCP SPT=1249 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 MARK=0x2

The problem is while tcpdump is running for interface lo i can't see this traffic and was wondering if this was by 
design or if i had to enable some extra feature in the config?

If i ping 127.0.0.1 i see the tcpdump traffic so i know it is working, just not for the above traffic.

If anyone can explain this behavior id appreciate to know. 

many thanks
flo


                                          -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.