Index: contrib/tcpdump/tcpdump.c
===================================================================
--- contrib/tcpdump/tcpdump.c
+++ contrib/tcpdump/tcpdump.c
@@ -1924,11 +1924,13 @@
 		 * so we add the relevant access rights.
 		 */
 		cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT);
-		if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
+		if (pcap_fileno(pd) != -1 &&
+		    cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
 		    errno != ENOSYS) {
 			error("unable to limit pcap descriptor");
 		}
-		if (cap_ioctls_limit(pcap_fileno(pd), cmds,
+		if (pcap_fileno(pd) != -1 &&
+		    cap_ioctls_limit(pcap_fileno(pd), cmds,
 		    sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
 			error("unable to limit ioctls on pcap descriptor");
 		}
@@ -2069,6 +2071,9 @@
 #else
 	cansandbox = (cansandbox && ndo->ndo_nflag);
 #endif	/* HAVE_CASPER */
+	cansandbox = (cansandbox && (pcap_fileno(pd) != -1 ||
+	    RFileName != NULL));
+
 	if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
 		error("unable to enter the capability mode");
 #endif	/* HAVE_CAPSICUM */