1) linux 2.6 kernel ipsec (encrypt and decrypt) and
I remember seeing answer to this one on the list a while ago, check the list archives. Vaugly remeber that it goes through the Netrilter twice (encrypted, and than unencrypted). But don't remember if it was for *swan, linux native implementation, or both.
2) linux packet sniffers (tcpdump, ethereal)
Packet sniffers always give you packets as they arrive from the wire, and as they leave to the wire, since they work by opening device directly. So, in table 3-1 it would be part of step 2, in table 3-2 part of step 8, and in table 3-3 part of steps 2 and 10.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
