Capture the packets on loopback network card on Linux:
# tcpdump -i lo -w lo.pcap port 33333
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
......
Download it onto Windows and use wireshark to analyze it:
We can see every packet conforms to standard ethernet format.
Capture lookback packets on OpenBSD:
# tcpdump -i lo0 -w lo.pcap port 33333
tcpdump: listening on lo0, link-type LOOP
......
Also download it onto Windows and open it with wireshark:
The wireshark just recognizes the packet as “Raw IP” format, but can’t show details.
After referring discussion in Wireshark mailing list, I know it is related to network link-layer header type. 0x0C stands for “Raw IP”:
I modified the 0x0C to 0x6C, which means “OpenBSD loopback”:
Now the packets can be decoded successfully:
P.S., I also started a discussion about this issue in mailing list.
Update: I write a script to do this conversion.
Hello Nan Xiao,
I replied to your reddit post at reddit.com/r/openbsd/comments/9a6qkj/the_difference_of_loopback_packets_on_linux_and/ . Do you have any news on this?
Thanks for this blog post.
Hello tryfail,
No any news, thanks!
Best Regards
Nan Xiao
Hello again Nan Xiao,
I worked on this a bit since we last talked here. See my reply at https://www.reddit.com/r/openbsd/comments/9a6qkj/the_difference_of_loopback_packets_on_linux_and/e90mliu
This form was throwing some errors when pasting the python sample here.
Regards