On 2026/05/09 12:26, Alexandr Nedvedicky wrote:
> On the other hand, thinking more about the whole situation here...
> what would actually help to trouble shoot wireguard configuration
> issues is ability to use tcpdump for both wireguard's ends:
> like intercepting packet when it enters wg interface and when
> it leaves interface (or after applying wgaip policy). Another
> option would be to have something similar like we have for pflog(4),
> just send dropped packets by wireguard to pflog(4)-like interface.

That would be quite a different direction for pcap/tcpdump. I think it
woukd be a pain to implement consistently for various interface types
(and probably need pcap hooks in two different places?)

It would be nice to have some netstat -s stats for wg(4), and that would
be a good place for users to at least identify packets not matching wgaip.