I though tcpdump was just a program that read the binary form of the log files?
I though the dropped meant packets that was showing you how many packets were dropped(rejected/unsuccessful connection) by the firewall for the duration that you were monitoring the log. When I had a much slower box I would see packets were 'dropped'. I see now that I was interpreting this the wrong way.
Code:
match
The packet is matched. This mechanism is used to provide fine
grained filtering without altering the block/pass state of a pack-
et. match rules differ from block and pass rules in that parame-
ters are set every time a packet matches the rule, not only on the
last matching rule. For the following parameters, this means that
the parameter effectively becomes ``sticky'' until explicitly over-
ridden: max-mss, min-ttl, no-df, queue, random-id, reassemble tcp,
rtable, and set-tos.
log is different still, in that the action happens every time a
rule matches i.e. a single packet can get logged more than once.
From this, it seems that its not a match in. It flags it as 'sticky' or OK but waits for an actual allow/block statement to pass the traffic. Am I interpreting this correctly?