[bpf capture of IPsec after processing]

This would indeed be nice.

  [pppoe should maybe not show pppoe header]

My first reaction was that it should just show the IP packets perhaps
with DLT_NULL, but then I thought that pppoe0 should act very much
like ppp0, which I think uses DLT_PPP and dumps PPP frames.  I think
the current behavior is like this - the ethernet frames are omitted on
pppoe(4), but not the PPPoE frame headers (which seem to be a little
different from PPP headers, but not that much).

I have been happy with the tcpdump behavior on ppp(4).  Probably on
pppoe(4) (DLT_PPP_ETHER) tcpdump should just print the packet contents
and not actually show the frame headers (without -v), so it works the
same way.  I don't have a pppoe box handy, so I'm guessing that the
default behavior shows them.

It would be sort of nice, but probably bloat, to have ppp-type
interfaces also support DLT_NULL, and just ship the raw data packets,
tagged with AF (like tun0 used to do - I haven't looked lately).

The tension here for me is that sometimes I want to see just IP
packets on an interface - with a uniform presentation across interface
types, and sometimes I want to see a very close representation of what
is on the interface itself.

-- 
        Greg Troxel <gdt@ir.bbn.com>