on Linux, capture of IPsec ESP flows seems to result in extra part

[mcr]

14:49:07.155314 IP 10.10.4.164 > 10.10.4.165: ESP(spi=0xe8415058,seq=0x10), length 148 14:49:07.155314 IP6 , wrong link-layer encapsulationbad-hlen 0 14:49:07.155401 IP6 fd68:c9f9:4157::a0a:4a4 > fd68:c9f9:4157:2:0:1:808:808: ICMP6, echo request, seq 11, length 64

This is one packet, which due to the way netkey ESP (xfrm) works, is passed by the libpcap capture point twice, but in this case, it seems to result in three packets seen. This is IPv6 over ESP over IPv4 traffic. Note that Jool is also involved.