
Did you compare the MAC address of the ARP reply with the one in the TCP SYN? Are they identical?.

there is some kind of tunnel (VPN like IPSEC or OpenVPN, IPinIP, etc.) on the client and the TCP packets are routed into that tunnel.This is usually the case for http(s) and ftp, where that behavior is desirable to scan the traffic. there is a transparent (TCP) proxy running on the client that 'takes care' of the connection requests.I did not test it, but I think that could well cause the described behavior, from what I remember about troubleshooting on iptables firewalls another chain in iptables modifies the packet.You have several interfaces and the packet takes a different route than you believe (host route, etc.) - think also about policy based routing!.Some of these ideas might sound weird, but that's what I have seen in the wild several times -) People configure something and then forget about the fact and then wonder why certain things don't work :-) So, here are some possible explanations that might cause your TCP traffic to appear in Wireshark on the client, but not on the wire. If you drop frames in the OUTPUT chain, Wireshark will not see them, so iptables handles the packet before the kernel gets a chance to send a copy to dumpcap. but does not send the packet to the hardware?ĭoes IPTables twink with dev_hard_start_xmit's behavior? [ Would you suggest to me scenarios under which dev_hard_start_xmit() sends a packet to a PF_PACKET socket (because, say, dumpcap is running).
