cisagov/icsnpp-bacnet

Multiple object types, but only one got output

helenwangjia opened this issue · 1 comments

helenwangjia commented

🐛 Summary

When there are multiple object types in one packet, zeek only output one.
For example, There are 20 packets in test.pcap, and no.1 has two object types (device and accumulator) as shown in the screenshot of Wireshark. But after I ran this command, zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek, the object_type is output as “accumulator” only in bacnet_discovery.log.
Another example is the no.18 got 8 object types. However, after I ran this command, zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek, the object_type is output as “schedule” only in bacnet_property.log.
For further confirmation, I output this pcap by tshark, and each object type has output.

To reproduce

Run zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek

Expected behavior

Logic for which object type should be output

Any helpful log output

#bacnet_discovery.log for no.1

1692099997.714948	CyFXcfmZiqRZeZJ4b	10.0.0.2	47808	10.0.0.255	47808	T	i-have	accumulator	4	-	-	(empty)

#bacnet_property.log for no.18

1692099997.715010	Cuoso93BOASnNw524i	10.0.0.2	47808	10.0.0.1	47808	T	94	read-property-ack	schedule	385	Vendor Specific (71303554)	-	schedule: 388

Add any screenshots of the problem here.
no.1
Screenshot 2023-08-15 at 22 11 10

no.18
Screenshot 2023-08-15 at 22 12 12

test.pcap
test.pcap.zip

For further information,
log output by tshark for no.1

1692099997.714948000	10.0.0.2	10.0.0.255	i-Have (1)	47808	Unconfirmed-REQ (1)	device
1692099997.714948000	10.0.0.2	10.0.0.255	i-Have (1)	47808	Unconfirmed-REQ (1)	accumulator

log output by tshark for no.18

1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	binary-input
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	binary-output
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	binary-value
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	device
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	group
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	notification-class
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	schedule
1692099997.715010000	10.0.0.2	10.0.0.1	readProperty (12)	47808	Complex-ACK (3)	accumulator
kkvarfordt commented

Fixed see PR #38