Hi folks, I was looking for this same answer in part for the same use case as @JohanW and searching led me here.
I understand that logging network traffic is a non-trivial task and I bet that’s especially difficult when talking about subnet traffic passing through. That said, it looks like the traffic log patterns are missing a lot of traffic.
Does it happen to be logging based on samples taken every 10 seconds or so? It looks like the only traffic being reported in the logs is traffic that:
- is TCP
- is being tracked in something like the NAT table or an open socket or similar
It might not intentionally be only picking up TCP traffic; that could be an artifact of the stateful nature of TCP over UDP and ICMP. Either way though, lots of traffic is flowing across the subnet bridge that is not being logged in the tailscale logs.
@JohanW, since you specifically were worried about that scenario, FYI. I suggest relying on a different method for capturing network traffic at that transition.
Separately from all of the above, the local logs are doing a good job of capturing the fact that traffic occurred between tailscale nodes, at least. It’ll be nice to get access to this API some day to not have to worry that we’re missing a log upload somewhere. (And your API will be better than what I’ve hacked together, 100%.)