PacketFilter::Dropped_packets very large counts

Hoping to understand the data in PacketFilter::Dropped_packets notices
better. What do each of the counts indicate?

Wondering because I have a small percentage of notices from a variety
of sensors that are logging the following in the notices, and the
counts end up being too large of integers for some post-processing
utilities to help compute some metrics on. I suspect that these come
from Bro 2.6 sensors. Examples:

18446744069482849436 packets dropped after filtering,
18446744069489230937 received, 6381501 on link

18446744069467467531 packets dropped after filtering,
18446744069467980684 received, 513153 on link

18446744069774533196 packets dropped after filtering,
18446744069778234931 received, 3701735 on link

18446744069437332601 packets dropped after filtering,
18446744069462690099 received, 25357498 on link

18446744069540779703 packets dropped after filtering,
18446744069561221983 received, 20442280 on link

18446744069457313223 packets dropped after filtering,
18446744069457748075 received, 434852 on link

18446744069561323156 packets dropped after filtering,
18446744069583649097 received, 22325941 on link

I was attempting to track percentage of dropped packets from this
notice by dividing the total received (2nd number) by the count
dropped after filtering (1st number) based on what seems like the more
common types of reports we see, like this one:

1 packets dropped after filtering, 2724370 received, 2724369 on link

(1/2724370 => 0.000000367057338). But I can't conceive that the
messages above are carrying realistic numbers to calculate on.

Looks like a driver problem or something odd going on... something
confusing a 32bit value for a 64bit one. What sort of platform is
this on?

18446744069482849436 is 0xFFFFFFFF0411A49C. likely that value should
just be 0x0411A49C which is 68265116

so that should probably be

68265116 packets dropped after filtering,
74646617 received, 6381501 on link

which still isn't great, but at least makes more sense.

You should upgrade to zeek. Bro 2.6 is missing years of features,
performance, and security fixes at this point.

Hoping to understand the data in PacketFilter::Dropped_packets notices
better. What do each of the counts indicate?

Wondering because I have a small percentage of notices from a variety
of sensors that are logging the following in the notices, and the
counts end up being too large of integers for some post-processing
utilities to help compute some metrics on. I suspect that these come
from Bro 2.6 sensors. Examples:

18446744069482849436 packets dropped after filtering,
18446744069489230937 received, 6381501 on link

Looks like a driver problem or something odd going on… something
confusing a 32bit value for a 64bit one. What sort of platform is
this on?

Verified the following:

CentOS 7
Likely running as VMware guests
NIC drivers:

  • e1000 (version 7.3.21-k8-NAPI)
  • vmxnet3 (version 1.4.16.0-k-NAPI)

You should upgrade to zeek. Bro 2.6 is missing years of features,
performance, and security fixes at this point.

This is occurring hopefully shortly.