I am trying to understand why when using tcpdump on the loopback interface, only half of the packets received by the filter are captured. But when I run the exact same traffic and do tcpdump on the eth0 interface all the traffic is captured.
In both cases I am targeting specific ports with the traffic and for the tcpdump.
I spotted a similar question on here why tcpdump captures on half the packets
And the suggestion was that it was filtering duplicates sent and received by/at the interface. They were looking at the whole interface and not singling out specific ports. Here this does not appear to be the case, as I am using the dump on specific ports, with the source and destination ports for the traffic being different. Also looking the eth0 with the same traffic, I can see the all the captured packets that are being received by both the lo and eth0 filters.
For example I send 10 udp packets to both eth0 and lo, I get the following:
tcpdump -i eth0 udp port xxxx
10 packets captured
10 packets received by filter
0 packets dropped by kernel
tcpdump -i lo udp port xxxx
5 packets captured
10 packets received by filter
0 packets dropped by kernel
So it looks like tcpdump is filtering traffic only for the loopback, possibly grabbing every second packet. The timestamps seem to indicate this, as if I am sending packets at a rate of 1 packet per second, on the eth0 I see the packets captured occur at 1 second intervals. While on lo, the packets captured occur at 2 second intervals.
Is there some default configuration for tcpdump on a loopback that causes it filter every second packet?
Or am I misunderstanding something? It seems strange that tcpdump would operate differently depending on the interface choosen.
