So you have an emulator program, and it opens a /dev/tap, and
reads/writes packets and makes those appear to show up/come from the
emulated network interface on the PDP-10?

Then on the host are you bridging /dev/tap0 to a regular ethernet?

I think you are saying that if you then run 'tcpdump -i tap0' on the
host, then packets from host to emulator and emulator to host are
printed by tcpdump.  But, without -p, then the packets from the host
towards the emulator are apparently not received.

I suggest adding a printf to the emulator when reading packets from the
tap device.

In src/sys/dev/if_tap.c, see tap_dev_read.  The call to bpf_tap looks
normal relative to other drivers.

Setting promiscuous mode will call net/if.c:ifpromisc which will call
net/if_ethersubr.c:ether_ioctl which will call tap_init.

tap_init calls tap_start, and that seems to introduce an extra wakeup
and OACTIVE flag, and that seems wrong.  Try removing the tap_start call
from tap_init and rebuilding the host kernel.