On Sat, May 09, 2026 at 11:37:42AM +0100, Stuart Henderson wrote:
> On 2026/05/09 12:26, Alexandr Nedvedicky wrote:
> > On the other hand, thinking more about the whole situation here...
> > what would actually help to trouble shoot wireguard configuration
> > issues is ability to use tcpdump for both wireguard's ends:
> > like intercepting packet when it enters wg interface and when
> > it leaves interface (or after applying wgaip policy). Another
> > option would be to have something similar like we have for pflog(4),
> > just send dropped packets by wireguard to pflog(4)-like interface.
> 
> That would be quite a different direction for pcap/tcpdump. I think it
> woukd be a pain to implement consistently for various interface types
> (and probably need pcap hooks in two different places?)

it would be a very large hammer.

> It would be nice to have some netstat -s stats for wg(4), and that would
> be a good place for users to at least identify packets not matching wgaip.

i was considering a set of wg port kstats for this. you wanna give it a
go?