enchdr should be treated as a network header and populated with a
consistent byte order, regardless of which arch you're runnning on.

i have already modified tcpdump to cope with these fields being in
either byte order (we're lucky that we can byteswap these values and
none of the fields overlap with fields in the other order). however, it
feels more correct to build the headers properly too.

tests? ok?

Index: ip_ah.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ah.c,v
diff -u -p -r1.178 ip_ah.c
--- ip_ah.c	4 Aug 2025 14:03:32 -0000	1.178
+++ ip_ah.c	10 Dec 2025 05:20:28 -0000
@@ -878,13 +878,11 @@ ah_output(struct mbuf *m, struct tdb *td
 		encif->if_obytes += m->m_pkthdr.len;
 
 		if (encif->if_bpf) {
-			struct enchdr hdr;
-
-			memset(&hdr, 0, sizeof(hdr));
-
-			hdr.af = tdb->tdb_dst.sa.sa_family;
-			hdr.spi = tdb->tdb_spi;
-			hdr.flags |= M_AUTH;
+			struct enchdr hdr = {
+				.af = htonl(tdb->tdb_dst.sa.sa_family),
+				.spi = tdb->tdb_spi,
+				.flags = htonl(M_AUTH),
+			};
 
 			bpf_mtap_hdr(encif->if_bpf, (char *)&hdr,
 			    ENC_HDRLEN, m, BPF_DIRECTION_OUT);
Index: ip_esp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp.c,v
diff -u -p -r1.199 ip_esp.c
--- ip_esp.c	8 Jul 2025 00:47:41 -0000	1.199
+++ ip_esp.c	10 Dec 2025 05:20:28 -0000
@@ -707,12 +707,11 @@ esp_output(struct mbuf *m, struct tdb *t
 		encif->if_obytes += m->m_pkthdr.len;
 
 		if (encif->if_bpf) {
-			struct enchdr hdr;
+			struct enchdr hdr = {
+				.af = htonl(tdb->tdb_dst.sa.sa_family),
+				.spi = tdb->tdb_spi,
+			};
 
-			memset(&hdr, 0, sizeof(hdr));
-
-			hdr.af = tdb->tdb_dst.sa.sa_family;
-			hdr.spi = tdb->tdb_spi;
 			if (espx)
 				hdr.flags |= M_CONF;
 			if (esph)
Index: ip_ipcomp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipcomp.c,v
diff -u -p -r1.95 ip_ipcomp.c
--- ip_ipcomp.c	8 Jul 2025 00:47:41 -0000	1.95
+++ ip_ipcomp.c	10 Dec 2025 05:20:28 -0000
@@ -325,12 +325,10 @@ ipcomp_output(struct mbuf *m, struct tdb
 		encif->if_obytes += m->m_pkthdr.len;
 
 		if (encif->if_bpf) {
-			struct enchdr hdr;
-
-			memset(&hdr, 0, sizeof(hdr));
-
-			hdr.af = tdb->tdb_dst.sa.sa_family;
-			hdr.spi = tdb->tdb_spi;
+			struct enchdr hdr = {
+				.af = htonl(tdb->tdb_dst.sa.sa_family),
+				.spi = tdb->tdb_spi,
+			};
 
 			bpf_mtap_hdr(encif->if_bpf, (char *)&hdr,
 			    ENC_HDRLEN, m, BPF_DIRECTION_OUT);
Index: ipsec_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_input.c,v
diff -u -p -r1.221 ipsec_input.c
--- ipsec_input.c	8 Jul 2025 00:47:41 -0000	1.221
+++ ipsec_input.c	10 Dec 2025 05:20:28 -0000
@@ -564,11 +564,11 @@ ipsec_common_input_cb(struct mbuf **mp, 
 			m->m_pkthdr.ph_ifidx = encif->if_index;
 		}
 		if (encif->if_bpf) {
-			struct enchdr hdr;
-
-			hdr.af = af;
-			hdr.spi = tdbp->tdb_spi;
-			hdr.flags = m->m_flags & (M_AUTH|M_CONF);
+			struct enchdr hdr = {
+				.af = htonl(af),
+				.spi = tdbp->tdb_spi,
+				.flags = htonl(m->m_flags & (M_AUTH|M_CONF)),
+			};
 
 			bpf_mtap_hdr(encif->if_bpf, (char *)&hdr,
 			    ENC_HDRLEN, m, BPF_DIRECTION_IN);