Improve TCP FIN retransmission handling.

In the case multiple FIN packets are seen from a TCP endpoint (e.g.
when one is retransmitted), only the first counted towards a byte in the
sequence space.  This could cause a subsequent FIN packet to induce an
incorrect wrap around in the sequence numbers (e.g.  the retransmitted
FIN packet now is one sequence number behind the the first) and
misleadingly large connection sizes.  The change is to always treat a
FIN packet as counting one byte in to the sequence space.

src/analyzer/protocol/tcp/TCP.cc

@@ -373,14 +373,11 @@ void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
 void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint,
 				int& seq_len, uint32 base_seq)
 	{
-	if ( endpoint->FIN_cnt == 0 )
+	++seq_len;  // FIN consumes a byte of sequence space.
-		{
-		++seq_len;	// FIN consumes a byte of sequence space
 	++endpoint->FIN_cnt;  // remember that we've seen a FIN
-		}
 
-	else if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
+	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
-		  ++endpoint->FIN_cnt == tcp_storm_thresh )
+	     endpoint->FIN_cnt == tcp_storm_thresh )
 		Weird("FIN_storm");
 
 	// Remember the relative seq in FIN_seq.

testing/btest/Baseline/core.tcp.fin-retransmit/out

@@ -0,0 +1,2 @@
+[size=0, state=5, num_pkts=3, num_bytes_ip=156, flow_label=0]
+[size=0, state=6, num_pkts=2, num_bytes_ip=92, flow_label=0]

testing/btest/core/tcp/fin-retransmit.bro

@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -b -r $TRACES/tcp/fin_retransmission.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event connection_state_remove(c: connection)
+    {
+    print c$orig;
+    print c$resp;
+    }