We run tcpdump on our 3D8120 sensor (as described here) to capture network traffic for debugging purposes - our volume of traffic is low enough that this has never been a problem, no high load, no dropping packets, etc. etc.

We recently upgraded from 4.x to 5.x and we're noticing that our pcap files are often truncated on a per-stream basis - they do not appear properly closed in the tcpdump.  RST packets are not shown, and when a connection is closed gracefully we only see the first FIN, not the second.

We have correlated conversations with packet captures from partners and have verified cases where they got the RST we sent, our packet capture simply doesn't contain it.  And there are no retransmits or other signs that the connection didn't close; connections follow an orderly path and then just stop right where we'd expect the connection close (RST) or where we see the single FIN (I guess that's an orFIN!)

Is there any way that the Sourcefire engine is somehow consuming these end-of-connection packets in a way that they don't make it out to the NFE interface?  Does anyone else see this behavior?  Any ideas for resolving it?

Any help is appreciated.