One thought - the tcpdump is incomplete by just looking at port 80 you can't see what ICMP are being sent.
Well, the idea was to reduce the amount of data reported by tcpdump. My naive assumption was that running the two tcpdump's on eth0 and ppp0, I would see the request packet coming from eth0, the masqueraded one on ppp0, and the same process in the opposite direction for the reply.
Why do you think it would be important to see the icmp's, too?
Just thought it would be better to be able to see all what was going on - I have no specific ideas, though.
Andy.
