I have a Tripwire check that looks at ipfstat -ion and
every once in a while it would flag.  I'd look at what it
captured and it would be like it doubled up the output, it
would like the normal 46 lines of my ruleset, then keep
going at 47 with another copy.

I wrote a script which duplicated the error in 40 minutes:

#!/bin/bash
#set -x
ipfstat -ion > /tmp/b
rm -f /tmp/attempts
#for i in 1 2 3 4 5 6 7 8 9 10
while true do
do
         ipfstat -ion>/tmp/a
         diff /tmp/a /tmp/b >/tmp/diff-ab
          if [ "$?" -ne "0" ]; then
                 echo "*** ^G  Diff found!"
                 cp /tmp/a /tmp/ipfstat-a
                 cp /tmp/b /tmp/ipfstat-b
                 exit
         else
                 echo "No diff detected."
         fi
         echo "*" >> /tmp/attempts
         sleep 1
done

[root@xyzzyj]<357> wc -l attempts
     2359 attempts

[root@xyzzyj]<321> ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107

--
"The universal aptitude for ineptitude makes any human accomplishment an incredible miracle." - Stapp's Law