Odd routing behaviour on return route for packets under 2.0.33

Odd routing behaviour on return route for packets under 2.0.33

Post by Steve Resnic » Fri, 29 May 1998 04:00:00


(Don, Allan ideas?)

I have a machine with two ethernet cards, two class C networks and
roughly 50 IP aliases on various devices.

The two class C networks are distinctly different, i.e., the MSB of the
network address is different, and both use a 24 bit netmask.

for the sake of argument:

eth0 is setup on net 1: eth1 is setup on net 2

The default route is to our router on eth0, the address is

So far, so good.

We bill our customers based on traffic usage and I wrote a libpcap based
package to track network usage and calculate aggregates for 5 minute
periods and flush this data to disk. I originally wrote this on a Sun
machine running solaris 2.5.1.

This worked rather well and I was able to account for all traffic by
walking through the ethernet and tcp/ip headers to find the data size.

I rewrote this package to run under 2.0.33 and now I have an odd
problem: Packets sent to a particular address all use the same address
on the return path.

If, from a different machine on our network at, I ping,
with record route, to an address on the machine in question, I see:

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=1.3 ms

And if I traceroute from the machine in question to another machine on
our local network, and that address is on net 2, it still goes out over
net 1:

traceroute -n

traceroute to (, 30 hops max, 40 byte
 1  0.704 ms  0.606 ms  0.604 ms

So, the problem here is that I cannot track the traffic generated by by
a particular website, since the source address of all outbound traffic
is not the address of the website, but rather the primary address on
eth0 (

I have checked /proc/sys/net/ipv4/ip_forwarding and the value is 0, so I
am assuming ip_forwarding is turned off.

Is there a way to make this work properly, that is to say, if I request
data from a particular address the address used on the sending is
correct as well?

What else am I missing or should I be looking for?

TIA, Steve

/|\ Steve Resnick * 0x2b |~ 0x2b What was the question?
\|/ Please note the REMOVE-BEFORE-SENDING in my e-mail address above.
/|\ Make SPAM once again be the odd looking stuff in the blue can!