tcpdump behavior with netgraph

Riaan Kruger riaank at
Fri Sep 27 14:15:17 UTC 2013

I am trying to troubleshoot my netgraph setup.
I have a custom node connected to ng_ether's orphan and upper hooks.
This node inserts a special ethernet tag into certain UDP broadcast packets
going out and strip it coming back in.

With tcpdump I see two entries for each packet sent, one without the
special ethernet tag and one with it.
1. Is it correct that tcpdump sees the packet twice, and why? According to
the following diagram it does not make sense that tcpdump should see it

If the system has been running a while some of the UDP broadcast packets
are not sent and I only see (with tcpdump) the packet without the special
ethernet tag.  2. Is this an indication that the packet gets lost in the
netgraph chain?

Last question:
3. How can I better/debug troubleshoot what is going on in whole
netgraphsubsystem, not just mode
netgraph node that I inserted in the chain.

PS. Questions numbered for your convenience :)

More information about the freebsd-questions mailing list