zeek-plugin-bacnet icon indicating copy to clipboard operation
zeek-plugin-bacnet copied to clipboard

Published 20 hours ago verified publisher icon amzn

when negative-ack is TRUE, representing BACnet-SegmentACK-PDU would be usefully diagnostic

Open duffy-ocraven opened this issue 5 years ago • 3 comments

When negative-ack is FALSE, which is the overwhelmingly frequent case, it is fine to output nothing, as code currently does. But when negative-ack is TRUE, representing that would be usefully diagnostic.

BACnet-SegmentACK-PDU ::= SEQUENCE {
	pdu-type		Unsigned (0..15), high 4 bits, thus 0x40, 41, 42 or 43 for this PDU type
	reserved		Unsigned (0..3), -- shall be set to zero
	negative-ack		BOOLEAN, -- bit1
	server			BOOLEAN, -- bit0
	original-invoke-id	Unsigned (0..255),
	sequence-number		Unsigned (0..255),
	reserved		Unsigned (0..1), -- highest bit shall be zero
	actual-window-size	Unsigned (1..127)

duffy-ocraven avatar Aug 26 '20 00:08 duffy-ocraven

@duffy-corelight, I've just implemented this, but still needs verification. Do you have pcaps to share? Thanks.

NothinRandom avatar Aug 26 '20 23:08 NothinRandom

@duffy-corelight, latest update addresses this issue. Like the others, I'll let the customer close the issue if deemed as satisfied.

NothinRandom avatar Sep 10 '20 18:09 NothinRandom

I'm looking for some actual BACnet-SegmentACK-PDU traffic that I'll run through the parser, before closing.

duffy-ocraven avatar Sep 24 '20 01:09 duffy-ocraven