Interesting, same results with newer version:

/usr/pkgsrc/net/tcpdump/work/tcpdump-3.9.4$ ./tcpdump -V 
tcpdump version 3.9.4
libpcap version 0.9.4

$ /usr/sbin/tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3


$ sudo ./tcpdump -n -e -ttt -i pflog0 -vvv
344315 rule 0/0(match): block in on le0: (tos 0x0, ttl  63, id 61456, 
offset 0, flags [DF], proto: TCP (6), length: 64) 206.210.89.228 > 
206.210.89.196: [|tcp]

I'll have to have a look at how OpenBSD has patched print-pf.c, which is 
almost a certainty given the version diff:

(OpenBSD)

$u@s/home/seklecki$ tcpdump -V
tcpdump version 3.4.0
libpcap version 0.5

~BAS


On Fri, 15 Sep 2006, Jeremy C. Reed wrote:

>> On the same subject, has anyone noticed the different format of pflog(4) on
>> NetBSD v.s. OpenBSD.  Specifically, for ICMP/TCP/UDP, the type/port is absent
>> from the source/destination address:
>>
>>  OpenBSD pflog(4) line:
>>
>> Sep 15 21:47:46.420650 rule 0/(match) block out on vlan40:
>> 206.210.89.202.62343 > 67.72.4.94.80: R 1515499462:1515499462(0) ack
>> 2101925191 win 0
>>
>>  NetBSD pflog(4) line:
>>
>> 015133 rule 0/0(match): block in on fxp0: IP 206.210.112.118 > 206.210.72.83:
>> [|tcp]
>>
>> TCP/UDP port = missing
>>
>> This is with: # tcpdump -ttt -e -vvv -i pflog0 -e -n on both.
>>
>> I'll open a PR.
>
> The tcpdump code (such as print-pflog.c) is different. Maybe updating will
> correct this?
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."