Index: contrib/tcpdump/addrtoname.c
===================================================================
--- contrib/tcpdump/addrtoname.c
+++ contrib/tcpdump/addrtoname.c
@@ -26,6 +26,11 @@
 #include "config.h"
 #endif
 
+#ifdef HAVE_CASPER
+#include <libcasper.h>
+#include <casper/cap_dns.h>
+#endif /* HAVE_CASPER */
+
 #include <netdissect-stdinc.h>
 
 #ifdef USE_ETHER_NTOHOST
@@ -207,6 +212,9 @@
 
 static uint32_t f_netmask;
 static uint32_t f_localnet;
+#ifdef HAVE_CASPER
+extern cap_channel_t *capdns;
+#endif
 
 /*
  * Return a name for the IP address pointed to by ap.  This address
@@ -252,7 +260,13 @@
 	 */
 	if (!ndo->ndo_nflag &&
 	    (addr & f_netmask) == f_localnet) {
-		hp = gethostbyaddr((char *)&addr, 4, AF_INET);
+#ifdef HAVE_CASPER
+		if (capdns != NULL) {
+			hp = cap_gethostbyaddr(capdns, (char *)&addr, 4,
+			    AF_INET);
+		} else
+#endif
+			hp = gethostbyaddr((char *)&addr, 4, AF_INET);
 		if (hp) {
 			char *dotp;
 
@@ -307,7 +321,14 @@
 	 * Do not print names if -n was given.
 	 */
 	if (!ndo->ndo_nflag) {
-		hp = gethostbyaddr((char *)&addr, sizeof(addr), AF_INET6);
+#ifdef HAVE_CASPER
+		if (capdns != NULL) {
+			hp = cap_gethostbyaddr(capdns, (char *)&addr,
+			    sizeof(addr), AF_INET6);
+		} else
+#endif
+			hp = gethostbyaddr((char *)&addr, sizeof(addr),
+			    AF_INET6);
 		if (hp) {
 			char *dotp;
 
Index: contrib/tcpdump/ipproto.c
===================================================================
--- contrib/tcpdump/ipproto.c
+++ contrib/tcpdump/ipproto.c
@@ -51,6 +51,7 @@
     { IPPROTO_SCTP, "SCTP" },
     { IPPROTO_MOBILITY, "Mobility" },
     { IPPROTO_CARP, "CARP" },
+    { IPPROTO_PFSYNC, "pfsync" },
     { 0, NULL }
 };
 
Index: contrib/tcpdump/netdissect.h
===================================================================
--- contrib/tcpdump/netdissect.h
+++ contrib/tcpdump/netdissect.h
@@ -569,6 +569,7 @@
 extern int ospf_print_grace_lsa(netdissect_options *, const uint8_t *, u_int);
 extern int ospf_print_te_lsa(netdissect_options *, const uint8_t *, u_int);
 extern void otv_print(netdissect_options *, const u_char *, u_int);
+extern void pfsync_ip_print(netdissect_options *, const u_char *, u_int);
 extern void pgm_print(netdissect_options *, const u_char *, u_int, const u_char *);
 extern void pim_print(netdissect_options *, const u_char *, u_int, const u_char *);
 extern void pimv1_print(netdissect_options *, const u_char *, u_int);
Index: contrib/tcpdump/print-esp.c
===================================================================
--- contrib/tcpdump/print-esp.c
+++ contrib/tcpdump/print-esp.c
@@ -246,7 +246,7 @@
 	 * XXX - of course this is wrong, because buf is a const buffer,
 	 * but changing this would require a more complicated fix.
 	 */
-	memcpy(buf, output_buffer, len);
+	memcpy(__DECONST(u_char *, buf), output_buffer, len);
 	free(output_buffer);
 
 	ndo->ndo_packetp = buf;
@@ -798,7 +798,7 @@
 			 * const buffer, but changing this would require a
 			 * more complicated fix.
 			 */
-			memcpy(p + ivlen, output_buffer, len);
+			memcpy(__DECONST(u_char *, p + ivlen), output_buffer, len);
 			free(output_buffer);
 			advance = ivoff - (const u_char *)esp + ivlen;
 		} else
Index: contrib/tcpdump/print-ip.c
===================================================================
--- contrib/tcpdump/print-ip.c
+++ contrib/tcpdump/print-ip.c
@@ -498,6 +498,12 @@
 		pgm_print(ndo, ipds->cp, ipds->len, (const u_char *)ipds->ip);
 		break;
 
+#if defined(HAVE_NET_PFVAR_H)
+	case IPPROTO_PFSYNC:
+		pfsync_ip_print(ndo, ipds->cp, ipds->len);
+		break;
+#endif
+
 	default:
 		if (ndo->ndo_nflag==0 && (p_name = netdb_protoname(ipds->nh)) != NULL)
 			ND_PRINT((ndo, " %s", p_name));
Index: contrib/tcpdump/tcpdump.c
===================================================================
--- contrib/tcpdump/tcpdump.c
+++ contrib/tcpdump/tcpdump.c
@@ -76,10 +76,16 @@
  * in the opposite order works fine.
  */
 #ifdef HAVE_CAPSICUM
-#include <sys/capability.h>
+#include <sys/capsicum.h>
+#include <sys/sysctl.h>
+#include <sys/nv.h>
 #include <sys/ioccom.h>
 #include <net/bpf.h>
 #include <libgen.h>
+#ifdef HAVE_CASPER
+#include <libcasper.h>
+#include <casper/cap_dns.h>
+#endif	/* HAVE_CASPER */
 #endif	/* HAVE_CAPSICUM */
 #include <pcap.h>
 #include <signal.h>
@@ -170,6 +176,10 @@
 
 char *program_name;
 
+#ifdef HAVE_CASPER
+cap_channel_t *capdns;
+#endif
+
 /* Forwards */
 static void error(FORMAT_STRING(const char *), ...) NORETURN PRINTFLIKE(1, 2);
 static void warning(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2);
@@ -711,6 +721,35 @@
 	return ret;
 }
 
+#ifdef HAVE_CASPER
+static cap_channel_t *
+capdns_setup(void)
+{
+	cap_channel_t *capcas, *capdnsloc;
+	const char *types[1];
+	int families[2];
+
+	capcas = cap_init();
+	if (capcas == NULL)
+		error("unable to create casper process");
+	capdnsloc = cap_service_open(capcas, "system.dns");
+	/* Casper capability no longer needed. */
+	cap_close(capcas);
+	if (capdnsloc == NULL)
+		error("unable to open system.dns service");
+	/* Limit system.dns to reverse DNS lookups. */
+	types[0] = "ADDR";
+	if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
+		error("unable to limit access to system.dns service");
+	families[0] = AF_INET;
+	families[1] = AF_INET6;
+	if (cap_dns_family_limit(capdnsloc, families, 2) < 0)
+		error("unable to limit access to system.dns service");
+
+	return (capdnsloc);
+}
+#endif	/* HAVE_CASPER */
+
 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
 static int
 tstamp_precision_from_string(const char *precision)
@@ -1044,6 +1083,26 @@
 		} else if (status == PCAP_ERROR_PERM_DENIED && *cp != '\0')
 			error("%s: %s\n(%s)", device,
 			    pcap_statustostr(status), cp);
+#ifdef __FreeBSD__
+		else if (status == PCAP_ERROR_RFMON_NOTSUP &&
+		    strncmp(device, "wlan", 4) == 0) {
+			char parent[8], newdev[8];
+			char sysctl[32];
+			size_t s = sizeof(parent);
+
+			snprintf(sysctl, sizeof(sysctl),
+			    "net.wlan.%d.%%parent", atoi(device + 4));
+			sysctlbyname(sysctl, parent, &s, NULL, 0);
+			strlcpy(newdev, device, sizeof(newdev));
+			/* Suggest a new wlan device. */
+			newdev[strlen(newdev)-1]++;
+			error("%s is not a monitor mode VAP\n"
+			    "To create a new monitor mode VAP use:\n"
+			    "  ifconfig %s create wlandev %s wlanmode monitor\n"
+			    "and use %s as the tcpdump interface",
+			    device, newdev, parent, newdev);
+		}
+#endif
 		else
 			error("%s: %s", device,
 			    pcap_statustostr(status));
@@ -1770,6 +1829,12 @@
 		pcap_freecode(&fcode);
 		exit_tcpdump(0);
 	}
+
+#ifdef HAVE_CASPER
+	if (!ndo->ndo_nflag)
+		capdns = capdns_setup();
+#endif	/* HAVE_CASPER */
+
 	init_print(ndo, localnet, netmask, timezone_offset);
 
 #ifndef _WIN32
@@ -1991,7 +2056,12 @@
 	}
 
 #ifdef HAVE_CAPSICUM
-	cansandbox = (ndo->ndo_nflag && VFileName == NULL && zflag == NULL);
+	cansandbox = (VFileName == NULL && zflag == NULL);
+#ifdef HAVE_CASPER
+	cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL));
+#else
+	cansandbox = (cansandbox && ndo->ndo_nflag);
+#endif	/* HAVE_CASPER */
 	if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
 		error("unable to enter the capability mode");
 #endif	/* HAVE_CAPSICUM */