Thanks for this. Robin and I just had a look, and you're indeed not
seeing the intended behavior. The problem is that currently
tcp_close_delay is set to 0 seconds and so Bro considers the connection
complete immediately after having seen both FINs. Either bump up
tcp_close_delay ...
bro -r test.1 tcp_close_delay=1sec a.bro
... or load heavy-analysis.bro (which also bumps up the various
timeouts):
bro -r test.1 a.bro heavy-analysis
In the next release, we'll likely set tcp_close_delay to a small but
non-zero timeout.
Cheers,
Christian