From: Stuart Henderson Subject: Re: wg(4): move bpf on outgoing packets later in the transmit path To: Alexandr Nedvedicky Cc: David Gwynne , tech@openbsd.org Date: Sat, 9 May 2026 11:37:42 +0100 On 2026/05/09 12:26, Alexandr Nedvedicky wrote: > On the other hand, thinking more about the whole situation here... > what would actually help to trouble shoot wireguard configuration > issues is ability to use tcpdump for both wireguard's ends: > like intercepting packet when it enters wg interface and when > it leaves interface (or after applying wgaip policy). Another > option would be to have something similar like we have for pflog(4), > just send dropped packets by wireguard to pflog(4)-like interface. That would be quite a different direction for pcap/tcpdump. I think it woukd be a pain to implement consistently for various interface types (and probably need pcap hooks in two different places?) It would be nice to have some netstat -s stats for wg(4), and that would be a good place for users to at least identify packets not matching wgaip.