../bro -f "port imap" -i xl0 mt
(the network traffic did not have any imap traffic) but still the received
packets was showing the total number of packets originally on the network.
This problem is not there when i run bro on Linux (2.2.16)
On linux it gives the correct received packets (but linux has
a bug that it always returns the dropped packets as 0)
Has anyone seen this problem before. Any fixes/suggestions.
Different systems report different statistics, unfortunately. Some report
a count of only filtered packets, others report a count of all packets.
For Bro, though, he point of the statistics is to see whether you're
dropping packets, so the count of received packets isn't as important as
the count of dropped packets. That said, for kernels that misreport the
count of dropped packets, there's not much you can do.