All:

I opened: bin/34733

Also, I figured something else out while checking the upstream vendor:

http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/interface.h?rev=1.271

I may be the first person to notice/report this because I'm using NetBSD 
in an embedded environment with a highly profiled kernel (IPv6 stripped 
out and lots of mk.conf(5) flags).   I was looking at the code and 
realized the default snaplen was a _compile time_ option.  See below:

~BAS

Here's they're doing the 68 vs. 96 for a different reason other than 
pflog(4).

/*
  * The default snapshot length.  This value allows most printers to print
  * useful information while keeping the amount of unwanted data down.
  */
#ifndef INET6
#define DEFAULT_SNAPLEN 68	/* ether + IPv4 + TCP + 14 */
#else
#define DEFAULT_SNAPLEN 96	/* ether + IPv6 + TCP + 22 */
#endif




On Fri, 22 Sep 2006, David Brownlee wrote:

> On Fri, 22 Sep 2006, Michael-John Turner wrote:
>
>> On Fri, Sep 22, 2006 at 09:29:38AM -0400, Brian A. Seklecki wrote:
>>> Perhaps it has something to do with the underlying protocol?  Was your
>>> tcpdump on ethernet?   OpenBSD has made the snarf length of 96 hard coded
>>> into thier in-tree tcpdump src.
>> 
>> Sounds like a reasonable theory - my loginterface is a pppoe(4) device.
>> 
>>> Perhaps a note could be installed into the example tcpdump(8) in
>>> src/dist/pf/share/man/man4/pflog.4 with flag "-s 96".
>> 
>> Sounds good to me.
>
> 	Would it make sense for NetBSD to default to 96 also?
>
> --
> 		David/absolute       -- www.NetBSD.org: No hype required --
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."