Does bpf provide an accurate-enough timestamp?  The better experiments 
  I've seen that involve timestamped packet capture tend to do the 
  timestamping in the driver itself.

Generally drivers call bpf_tap very soon after the packet is in, and
then a timestamp is obtained and stored with the packet.  Some network
interfaces can timestamp packet arrival times (as opposed to waiting
for DMA to complete and then have an interrupt be handled), but I'm
not aware of support for that feature in NetBSD; it would be cool to
add, and might involve a bpf_mtap_ts call that takes the timestamp.

-- 
        Greg Troxel <gdt@ir.bbn.com>