Hi,
When analyzing a pcap containing fragmented ICMP6 packets, the resulting size (i.e. orig_ip_bytes) in conn.log is not the expected size. For example, a pcap containing only 46 fragments forming a single large ping request of ~65k bytes will result in a orig_ip_bytes of only 376. With some additional debug output in the code (Frag.cc) it seems that the reassembly does take place, and the offset reaches near the 65k mark. However, I was not able to figure out where things do go wrong. Is this a possible bug, or am I misinterpreting/misunderstanding things?
NB: My script contains 'redef ignore_checksums=T;', as I'm working with a subset (via editcap) of a real capture.
Version information:
bro 2.3.2, compiled from stable tarball
(Arch) Linux, kernel 3.19
Thanks,
Luuk