Log missing for packet with message fragment

Question

Log missing for packet with message fragment

helenwangjia opened this issue a year ago · 1 comments

🐛 Summary

Log is missing for packet No.15.
There are 20 packets in test.pcap file on Wireshark, but only 19 records in the log file output by zeek.
Then I noticed that No.18 was divided into No.15, No.17 and No.18. But there was no output for No.15.
For further confirmation, I output this pcap by tshark, and No.15 was in the log.

To reproduce

Run zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek

Expected behavior

Expect all packets can be output in the log.
Is there any reason why there is no log for packet No.15 ?

Any helpful log output or screenshots

log output by zeek

#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	is_orig	bvlc_function	pdu_type	pdu_service	invoke_id	result_code
#types	time	string	addr	port	addr	port	bool	string	string	string	count	string
1692099997.714948	CyFXcfmZiqRZeZJ4b	10.0.0.2	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_have	-	-
1692099997.714955	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	who_has	-	-
1692099997.714958	CyFXcfmZiqRZeZJ4b	10.0.0.2	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_have	-	-
1692099997.714974	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	who_is	-	-
1692099997.714975	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_am	-	-
1692099997.714976	CyFXcfmZiqRZeZJ4b	10.0.0.2	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_am	-	-
1692099997.714978	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_am	-	-
1692099997.714979	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	T	Original_Unicast_NPDU	UnconfirmedRequest	i_am	-	-
1692099997.714997	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	time_synchronization	-	-
1692099997.714998	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_am	-	-
1692099997.715000	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	T	Original_Unicast_NPDU	UnconfirmedRequest	i_am	-	-
1692099997.715001	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	F	Original_Unicast_NPDU	ConfirmedRequest	read_property	93	-
1692099997.715002	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	T	Original_Unicast_NPDU	ComplexAck	read_property	93	-
1692099997.715003	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	F	Original_Unicast_NPDU	ConfirmedRequest	read_property	94	-
1692099997.715007	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	F	Original_Unicast_NPDU	SegementAck	-	94	-
1692099997.715008	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	T	Original_Unicast_NPDU	ComplexAck	read_property	94	-
1692099997.715010	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	T	Original_Unicast_NPDU	ComplexAck	read_property	94	-
1692099997.715012	CLWbBJ2TaEtF3kDLJj	10.0.0.2	47808	10.0.0.1	47808	F	Original_Unicast_NPDU	SegementAck	-	94	-
1692099997.715015	CAODIW2u8f64kqJXoj	10.0.0.1	47808	10.0.0.255	47808	T	Original_Broadcast_NPDU	UnconfirmedRequest	i_am	-	-

Add any screenshots of the problem here.

test.pcap
test.pcap.zip

Answer 1 · 2024-05-10T18:02:47.000Z

Fixed. See PR #39