I was configuring collectd graphs and I noted that the traffic pattern on the wan was not a match with the traffic patter on the br-lan, so I decided to go deeper into that and find out what was the story.
So I have 2x 4G usb dongles connected via mwan3, eth2 and eth3, both same operator, nothing special here.
But if you look at the image I attach..
Up left corner eth2, sending traffic from the wan interface to china
Up right corner eth3, sending traffic from the wan interface to japan
Down left corner br-lan, just discovery Tuya traffic, there is no match at all with the traffic displayed on the eth2 and the eth3!
All wiresharks were capturing traffic at the same time.
Yes, I just found a very old phone on the wifi connected and yes, rustdesk was installed there.
I dont understand yet why I didnt see the traffic on br-lan before, I guess it was because of the load? but I also tried tcpdump locally and no traffic appeared there
I don't know if this applies to your setup but I have seen situations where packat captures didn't get traffic I expected on systems with switch chips. I may be mis-remembering but if the packets are not cpu processed, but are switched in the switch chip, they do not show up. There may not be any hooks for tcpdump to get access in these low-end consumer grade switches. Maybe some kind of mirroring setup can get the desired packets to pass through a path with visibility assuming cpu routing isn't in play.
I know what you are referring to, something similar to CEF and process switching on Cisco.
However, the fact that tcpdump does not see all the traffic imposes a limit on solutions like darkstat for analysis.
I have SW and HW offloading enabled so that might be also related to the tcpdump limitation.
