Log missing for packet with message fragment

[helenwangjia]

🐛 Summary

Log is missing for packet No.15. There are 20 packets in test.pcap file on Wireshark, but only 19 records in the log file output by zeek. Then I noticed that No.18 was divided into No.15, No.17 and No.18. But there was no output for No.15. For further confirmation, I output this pcap by tshark, and No.15 was in the log.

To reproduce

Run zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek

Expected behavior

Expect all packets can be output in the log. Is there any reason why there is no log for packet No.15 ?

Any helpful log output or screenshots

log output by zeek

#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   is_orig bvlc_function   pdu_type    pdu_service invoke_id   result_code
#types  time    string  addr    port    addr    port    bool    string  string  string  count   string
1692099997.714948   CyFXcfmZiqRZeZJ4b   10.0.0.2    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_have  -   -
1692099997.714955   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  who_has -   -
1692099997.714958   CyFXcfmZiqRZeZJ4b   10.0.0.2    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_have  -   -
1692099997.714974   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  who_is  -   -
1692099997.714975   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_am    -   -
1692099997.714976   CyFXcfmZiqRZeZJ4b   10.0.0.2    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_am    -   -
1692099997.714978   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_am    -   -
1692099997.714979   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   T   Original_Unicast_NPDU   UnconfirmedRequest  i_am    -   -
1692099997.714997   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  time_synchronization    -   -
1692099997.714998   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_am    -   -
1692099997.715000   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   T   Original_Unicast_NPDU   UnconfirmedRequest  i_am    -   -
1692099997.715001   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   F   Original_Unicast_NPDU   ConfirmedRequest    read_property   93  -
1692099997.715002   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   T   Original_Unicast_NPDU   ComplexAck  read_property   93  -
1692099997.715003   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   F   Original_Unicast_NPDU   ConfirmedRequest    read_property   94  -
1692099997.715007   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   F   Original_Unicast_NPDU   SegementAck -   94  -
1692099997.715008   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   T   Original_Unicast_NPDU   ComplexAck  read_property   94  -
1692099997.715010   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   T   Original_Unicast_NPDU   ComplexAck  read_property   94  -
1692099997.715012   CLWbBJ2TaEtF3kDLJj  10.0.0.2    47808   10.0.0.1    47808   F   Original_Unicast_NPDU   SegementAck -   94  -
1692099997.715015   CAODIW2u8f64kqJXoj  10.0.0.1    47808   10.0.0.255  47808   T   Original_Broadcast_NPDU UnconfirmedRequest  i_am    -   -

Add any screenshots of the problem here.

test.pcap test.pcap.zip

[kkvarfordt]

Fixed. See PR #39