Merge remote-tracking branch 'origin/topic/timw/266-namespaces-part4'

* origin/topic/timw/266-namespaces-part4: (34 commits) Add missing namespace to usage of get_exe_path in fuzzer Rename methods in RunState to remove 'net' from their names Move zeek::net namespace to zeek::run_state namespace. Move ScannedFile class and associated globals into ScannedFile.h and out of Net.h and scan.l Rename types in ZeekList.h to be consistent with the style guide Move NetVar from zeek to zeek::detail namespace Remove PRI_PTR_COMPAT macros Fix indentation of namespaced aliases Move zeek-setup code into namespaces Move ZeekList types to zeek namespace Move __RegisterBif from zeek::detail::plugin to zeek::plugin::detail Remove unimplemented zeek_magic_path/bro_magic_path method Move all plugin classes into zeek::plugin::detail namespaces Rename BroList.h to ZeekList.h Move a few smaller files to zeek namespaces Tag the end of some namespaces for consistency Move a few of the zeek::util methods and variables to zeek::util::detail Move zeekygen code to zeek::zeekygen::detail namespace Mark zeek::util::pad_size as constexpr, which provides a small performance improvement Move everything in util.h to zeek::util namespace. ...
2025-10-02 14:48:21 +00:00 · 2020-08-21 08:36:48 -07:00 · 2020-08-21 08:36:48 -07:00 · 046eb58b75
commit 046eb58b75
parent 038fb1c08e 73051135c2
537 changed files with 9219 additions and 6821 deletions
--- a/74
+++ b/74
@ -1,3 +1,77 @@
 3.3.0-dev.177 | 2020-08-21 08:36:48 -0700
  * Add missing namespace to usage of get_exe_path in fuzzer (Tim Wojtulewicz, Corelight)
  * Rename methods in RunState to remove 'net' from their names (Tim Wojtulewicz, Corelight)
  * Move zeek::net namespace to zeek::run_state namespace.
    This also moves all of the code from Net.{h,cc} to RunState.{h,cc} and marks Net.h as deprecated (Tim Wojtulewicz, Corelight)
  * Move ScannedFile class and associated globals into ScannedFile.h and out of Net.h and scan.l (Tim Wojtulewicz, Corelight)
  * Rename types in ZeekList.h to be consistent with the style guide (Tim Wojtulewicz, Corelight)
  * Move NetVar from zeek to zeek::detail namespace (Tim Wojtulewicz, Corelight)
  * Remove PRI_PTR_COMPAT macros (Tim Wojtulewicz, Corelight)
  * Fix indentation of namespaced aliases (Tim Wojtulewicz, Corelight)
  * Move zeek-setup code into namespaces (Tim Wojtulewicz, Corelight)
  * Move ZeekList types to zeek namespace (Tim Wojtulewicz, Corelight)
  * Move __RegisterBif from zeek::detail::plugin to zeek::plugin::detail (Tim Wojtulewicz, Corelight)
  * Remove unimplemented zeek_magic_path/bro_magic_path method (Tim Wojtulewicz, Corelight)
  * Move all plugin classes into zeek::plugin::detail namespaces (Tim Wojtulewicz, Corelight)
  * Rename BroList.h to ZeekList.h (Tim Wojtulewicz, Corelight)
  * Move a few smaller files to zeek namespaces (Tim Wojtulewicz, Corelight)
  * Tag the end of some namespaces for consistency (Tim Wojtulewicz, Corelight)
  * Move a few of the zeek::util methods and variables to zeek::util::detail (Tim Wojtulewicz, Corelight)
  * Move zeekygen code to zeek::zeekygen::detail namespace (Tim Wojtulewicz, Corelight)
  * Mark zeek::util::pad_size as constexpr, which provides a small performance improvement (Tim Wojtulewicz, Corelight)
  * Move everything in util.h to zeek::util namespace.
    This commit includes renaming a number of methods prefixed with bro_ to be prefixed with zeek_. (Tim Wojtulewicz, Corelight)
  * Deprecate ptr_compat_uint and ptr_compat_int in util.h (Tim Wojtulewicz, Corelight)
  * Move NetVar.h to zeek namespace (Tim Wojtulewicz, Corelight)
  * Move the functions and variables in Net.h to the zeek::net namespace. This includes moving network_time out of util.h. (Tim Wojtulewicz, Corelight)
  * Add namespaced version of trigger_mgr, fix a couple uses of event_registry (Tim Wojtulewicz, Corelight)
  * Move the remainder of the analyzers to zeek namespaces (Tim Wojtulewicz, Corelight)
  * Move arp, tcp, udp, pia, and stepping stone analyzers (Tim Wojtulewicz, Corelight)
  * Move bro_broker code to zeek::Broker namespace (Tim Wojtulewicz, Corelight)
  * Move notifier code to zeek::notifier::detail namespace (Tim Wojtulewicz, Corelight)
  * Move threading classes to zeek namespaces (Tim Wojtulewicz, Corelight)
  * Move probabilistic code into zeek namespaces (Tim Wojtulewicz, Corelight)
  * Move iosource code to zeek namespaces (Tim Wojtulewicz, Corelight)
  * Move logging code to zeek namespaces (Tim Wojtulewicz, Corelight)
  * Move input code to zeek namespaces (Tim Wojtulewicz, Corelight)
  * Move file_analysis code to zeek namespaces (Tim Wojtulewicz, Corelight)
 3.3.0-dev.142 | 2020-08-20 16:26:06 -0700
--- a/5
+++ b/5
@ -44,6 +44,11 @@ Removed Functionality
 - The counter type was removed. This type was never fully functional/used
  anywhere.
 - Removed the PRI_PTR_COMPAT_INT, PRI_PTR_COMPAT_UINT, and PRI_SOURCE_ID
  macros. There are no deprecation warnings for these because they were C
  macros. Use the PRIdPTR and PRIuPTR macros from the standard library
  instead.
 Deprecated Functionality
 ------------------------
--- a/2
+++ b/2
@ -1 +1 @@
-3.3.0-dev.142
+3.3.0-dev.177
--- a/auxil/bifcl
+++ b/auxil/bifcl
@ -1 +1 @@
-Subproject commit 2affd6a4fd7b2543a533c481334828d3a47890d6
+Subproject commit 1f7e277dd43fb69acaf44aaac4d2fe04207ff6ad
--- a/src/Anon.cc
+++ b/src/Anon.cc
@ -20,7 +20,7 @@ AnonymizeIPAddr* zeek::detail::ip_anonymizer[NUM_ADDR_ANONYMIZATION_METHODS] = {
 static uint32_t rand32()
 	{
-	return ((zeek::random_number() & 0xffff) << 16) | (zeek::random_number() & 0xffff);
+	return ((zeek::util::detail::random_number() & 0xffff) << 16) | (zeek::util::detail::random_number() & 0xffff);
 	}
 // From tcpdpriv.
@ -104,7 +104,7 @@ ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
 	uint8_t digest[16];
 	ipaddr32_t output = 0;
-	hmac_md5(sizeof(input), (u_char*)(&input), digest);
+	zeek::util::detail::hmac_md5(sizeof(input), (u_char*)(&input), digest);
 	for ( int i = 0; i < 4; ++i )
 		output = (output << 8) | digest[i];
@ -132,7 +132,7 @@ ipaddr32_t AnonymizeIPAddr_PrefixMD5::anonymize(ipaddr32_t input)
 		prefix.prefix = htonl((input & ~(prefix_mask>>i)) | (1<<(31-i)));
 		// HK(PAD(x_0 ... x_{i-1})).
-		hmac_md5(sizeof(prefix), (u_char*) &prefix, digest);
+		zeek::util::detail::hmac_md5(sizeof(prefix), (u_char*) &prefix, digest);
 		// f_{i-1} = LSB(HK(PAD(x_0 ... x_{i-1}))).
 		ipaddr32_t bit_mask = (digest[0] & 1) << (31-i);
--- a/src/Anon.h
+++ b/src/Anon.h
@ -129,4 +129,4 @@ ipaddr32_t anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_class_t cl);
 #define LOG_ANONYMIZATION_MAPPING
 void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output);
-}
+} // namespace zeek::detail
--- a/src/Attr.cc
+++ b/src/Attr.cc
@ -150,7 +150,7 @@ void Attr::AddTag(ODesc* d) const
 		d->Add(attr_name(Tag()));
 	}
-Attributes::Attributes(attr_list* a, TypePtr t, bool arg_in_record, bool is_global)
+Attributes::Attributes(AttrPList* a, TypePtr t, bool arg_in_record, bool is_global)
 	{
 	attrs_list.resize(a->length());
 	attrs.reserve(a->length());
@ -537,7 +537,7 @@ void Attributes::CheckAttr(Attr* a)
 		const auto& table_index_types = the_table->GetIndexTypes();
-		type_list expected_args(1 + static_cast<int>(table_index_types.size()));
+		TypePList expected_args(1 + static_cast<int>(table_index_types.size()));
 		expected_args.push_back(type->AsTableType());
 		for ( const auto& t : table_index_types )
--- a/src/Attr.h
+++ b/src/Attr.h
@ -6,7 +6,7 @@
 #include <string>
 #include "Obj.h"
-#include "BroList.h"
+#include "ZeekList.h"
 #include "IntrusivePtr.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(Expr, zeek::detail);
@ -107,7 +107,7 @@ protected:
 class Attributes final : public Obj {
 public:
 	[[deprecated("Remove in v4.1.  Construct using IntrusivePtrs instead.")]]
-	Attributes(attr_list* a, zeek::TypePtr t, bool in_record, bool is_global);
+	Attributes(AttrPList* a, zeek::TypePtr t, bool in_record, bool is_global);
 	Attributes(std::vector<AttrPtr> a, zeek::TypePtr t,
 	           bool in_record, bool is_global);
@ -133,7 +133,7 @@ public:
 	void DescribeReST(ODesc* d, bool shorten = false) const;
 	[[deprecated("Remove in v4.1. Use GetAttrs().")]]
-	const attr_list* Attrs() const
+	const AttrPList* Attrs() const
 		{ return &attrs_list; }
 	const std::vector<AttrPtr>& GetAttrs() const
@ -148,7 +148,7 @@ protected:
 	std::vector<AttrPtr> attrs;
 	// Remove in v4.1. This is used by Attrs(), which is deprecated.
-	attr_list attrs_list;
+	AttrPList attrs_list;
 	bool in_record;
 	bool global_var;
 };
--- a/src/Base64.cc
+++ b/src/Base64.cc
@ -193,7 +193,7 @@ int Base64Converter::Decode(int len, const char* data, int* pblen, char** pbuf)
 		else
 			{
 			if ( ++errored == 1 )
-				IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
+				IllegalEncoding(zeek::util::fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
 			}
 		++dlen;
@ -210,7 +210,8 @@ int Base64Converter::Done(int* pblen, char** pbuf)
 	if ( base64_group_next != 0 )
 		{
 		if ( base64_group_next < 4 )
-			IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
+			IllegalEncoding(zeek::util::fmt("incomplete base64 group, padding with %d bits of 0",
 			                                (4-base64_group_next) * 6));
 		Decode(4 - base64_group_next, padding, pblen, pbuf);
 		return -1;
 		}
--- a/src/BroList.h
+++ b/src/BroList.h
@ -1,27 +1,2 @@
-// See the file "COPYING" in the main distribution directory for copyright.
+#warning "BroList.h is deprecated and will be removed in v4.1. Use ZeekList.h instead."
-
+#include "ZeekList.h"
 #pragma once
 #include "List.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
 using val_list = zeek::PList<zeek::Val>;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Expr, zeek::detail);
 using expr_list = zeek::PList<zeek::detail::Expr>;
 ZEEK_FORWARD_DECLARE_NAMESPACED(ID, zeek::detail);
 using id_list = zeek::PList<zeek::detail::ID>;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Stmt, zeek::detail);
 using stmt_list = zeek::PList<zeek::detail::Stmt>;
 namespace zeek { class Type; }
 using BroType [[deprecated("Remove in v4.1. Use zeek::Type instead.")]] = zeek::Type;
 using type_list = zeek::PList<zeek::Type>;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Attr, zeek::detail);
 using attr_list = zeek::PList<zeek::detail::Attr>;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Timer, zeek::detail);
 using timer_list = zeek::PList<zeek::detail::Timer, zeek::ListOrder::UNORDERED>;
--- a/src/CCL.cc
+++ b/src/CCL.cc
@ -31,7 +31,7 @@ void CCL::Negate()
 void CCL::Add(int sym)
 	{
-	ptr_compat_int sym_p = ptr_compat_int(sym);
+	auto sym_p = static_cast<std::intptr_t>(sym);
 	// Check to see if the character is already in the ccl.
 	for ( auto sym : *syms )
@ -48,7 +48,7 @@ void CCL::Sort()
 unsigned int CCL::MemoryAllocation() const
 	{
-	return padded_sizeof(*this) + padded_sizeof(*syms) + pad_size(syms->size() * sizeof(int_list::value_type));
+	return padded_sizeof(*this) + padded_sizeof(*syms) + zeek::util::pad_size(syms->size() * sizeof(int_list::value_type));
 	}
 } // namespace zeek::detail
--- a/src/CCL.h
+++ b/src/CCL.h
@ -2,12 +2,12 @@
 #pragma once
 #include <cstdint>
 #include <vector>
 #include "util.h" // for ptr_compat_int
 namespace zeek::detail {
-using int_list = std::vector<ptr_compat_int>;
+using int_list = std::vector<std::intptr_t>;
 class CCL {
 public:
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -253,8 +253,8 @@ set(MAIN_SRCS
    List.cc
    Reporter.cc
    NFA.cc
    Net.cc
    NetVar.cc
    Notifier.cc
    Obj.cc
    OpaqueVal.cc
    Options.cc
@ -270,12 +270,13 @@ set(MAIN_SRCS
    RuleAction.cc
    RuleCondition.cc
    RuleMatcher.cc
-    SmithWaterman.cc
+    RunState.cc
    ScannedFile.cc
    Scope.cc
    ScriptCoverageManager.cc
    SerializationFormat.cc
    Sessions.cc
-    Notifier.cc
+    SmithWaterman.cc
    Stats.cc
    Stmt.cc
    Tag.cc
--- a/src/CompHash.h
+++ b/src/CompHash.h
@ -36,7 +36,7 @@ public:
 	zeek::ListValPtr RecoverVals(const zeek::detail::HashKey* k) const
 		{ return RecoverVals(*k); }
-	unsigned int MemoryAllocation() const { return padded_sizeof(*this) + pad_size(size); }
+	unsigned int MemoryAllocation() const { return padded_sizeof(*this) + zeek::util::pad_size(size); }
 protected:
 	std::unique_ptr<zeek::detail::HashKey> ComputeSingletonHash(const zeek::Val* v, bool type_check) const;
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -7,7 +7,7 @@
 #include <ctype.h>
 #include "Desc.h"
-#include "Net.h"
+#include "RunState.h"
 #include "NetVar.h"
 #include "Event.h"
 #include "Sessions.h"
@ -194,8 +194,8 @@ void Connection::NextPacket(double t, bool is_orig,
                            // arguments for reproducing packets
                            const zeek::Packet *pkt)
 	{
-	current_timestamp = t;
+	zeek::run_state::current_timestamp = t;
-	current_pkt = pkt;
+	zeek::run_state::current_pkt = pkt;
 	if ( Skipping() )
 		return;
@ -218,13 +218,13 @@ void Connection::NextPacket(double t, bool is_orig,
 	else
 		last_time = t;
-	current_timestamp = 0;
+	zeek::run_state::current_timestamp = 0;
-	current_pkt = nullptr;
+	zeek::run_state::current_pkt = nullptr;
 	}
 void Connection::SetLifetime(double lifetime)
 	{
-	ADD_TIMER(&Connection::DeleteTimer, network_time + lifetime, 0,
+	ADD_TIMER(&Connection::DeleteTimer, zeek::run_state::network_time + lifetime, 0,
 	          zeek::detail::TIMER_CONN_DELETE);
 	}
@ -326,10 +326,10 @@ void Connection::SetInactivityTimeout(double timeout)
 void Connection::EnableStatusUpdateTimer()
 	{
-	if ( connection_status_update && connection_status_update_interval )
+	if ( connection_status_update && zeek::detail::connection_status_update_interval )
 		{
 		ADD_TIMER(&Connection::StatusUpdateTimer,
-		          network_time + connection_status_update_interval, 0,
+		          zeek::run_state::network_time + zeek::detail::connection_status_update_interval, 0,
 		          zeek::detail::TIMER_CONN_STATUS_UPDATE);
 		installed_status_timer = 1;
 		}
@ -339,7 +339,7 @@ void Connection::StatusUpdateTimer(double t)
 	{
 	EnqueueEvent(connection_status_update, nullptr, ConnVal());
 	ADD_TIMER(&Connection::StatusUpdateTimer,
-	          network_time + connection_status_update_interval, 0,
+	          zeek::run_state::network_time + zeek::detail::connection_status_update_interval, 0,
 	          zeek::detail::TIMER_CONN_STATUS_UPDATE);
 	}
@ -389,7 +389,7 @@ const zeek::RecordValPtr& Connection::ConnVal()
 		conn_val->Assign(6, zeek::val_mgr->EmptyString());	// history
 		if ( ! uid )
-			uid.Set(bits_per_uid);
+			uid.Set(zeek::detail::bits_per_uid);
 		conn_val->Assign(7, zeek::make_intrusive<zeek::StringVal>(uid.Base62("C").c_str()));
@ -439,7 +439,7 @@ void Connection::AppendAddl(const char* str)
 	const char* old = cv->GetField(6)->AsString()->CheckString();
 	const char* format = *old ? "%s %s" : "%s%s";
-	cv->Assign(6, zeek::make_intrusive<zeek::StringVal>(fmt(format, old, str)));
+	cv->Assign(6, zeek::make_intrusive<zeek::StringVal>(zeek::util::fmt(format, old, str)));
 	}
 // Returns true if the character at s separates a version number.
@ -502,7 +502,7 @@ void Connection::Event(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyz
 		             zeek::IntrusivePtr{zeek::AdoptRef{}, v1});
 	}
-void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
+void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, ValPList vl)
 	{
 	auto args = zeek::val_list_to_args(vl);
@ -512,17 +512,17 @@ void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyz
 		return;
 	// "this" is passed as a cookie for the event
-	zeek::event_mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
+	zeek::event_mgr.Enqueue(f, std::move(args), zeek::util::detail::SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}
-void Connection::ConnectionEventFast(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
+void Connection::ConnectionEventFast(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, ValPList vl)
 	{
 	// "this" is passed as a cookie for the event
-	zeek::event_mgr.Enqueue(f, zeek::val_list_to_args(vl), SOURCE_LOCAL,
+	zeek::event_mgr.Enqueue(f, zeek::val_list_to_args(vl), zeek::util::detail::SOURCE_LOCAL,
 	                        a ? a->GetID() : 0, this);
 	}
-void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list* vl)
+void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, ValPList* vl)
 	{
 	auto args = zeek::val_list_to_args(*vl);
 	delete vl;
@ -535,7 +535,7 @@ void Connection::EnqueueEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer*
                              zeek::Args args)
 	{
 	// "this" is passed as a cookie for the event
-	zeek::event_mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
+	zeek::event_mgr.Enqueue(f, std::move(args), zeek::util::detail::SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}
 void Connection::Weird(const char* name, const char* addl)
@ -572,7 +572,7 @@ void Connection::CancelTimers()
 	// call RemoveTimer(), which would then modify the list we're just
 	// traversing. Thus, we first make a copy of the list which we then
 	// iterate through.
-	timer_list tmp(timers.length());
+	TimerPList tmp(timers.length());
 	std::copy(timers.begin(), timers.end(), std::back_inserter(tmp));
 	for ( const auto& timer : tmp )
@ -690,7 +690,8 @@ void Connection::IDString(zeek::ODesc* d) const
 	d->Add(ntohs(resp_port));
 	}
-void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia)
+void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer,
                                 zeek::analyzer::pia::PIA* pia)
 	{
 	root_analyzer = analyzer;
 	primary_PIA = pia;
--- a/src/Conn.h
+++ b/src/Conn.h
@ -204,7 +204,7 @@ public:
 	// arguments used for the event are whatevever is provided in 'vl'.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
-				val_list vl);
+	                     ValPList vl);
 	// Same as ConnectionEvent, except taking the event's argument list via a
 	// pointer instead of by value.  This function takes ownership of the
@ -212,7 +212,7 @@ public:
 	// of each of its elements.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
-				val_list* vl);
+	                     ValPList* vl);
 	// Queues an event without first checking if there's any available event
 	// handlers (or remote consumes).  If it turns out there's actually nothing
@ -224,7 +224,7 @@ public:
 	// there's no handlers to consume them).
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEventFast(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
-				val_list vl);
+	                         ValPList vl);
 	/**
 	 * Enqueues an event associated with this connection and given analyzer.
@ -303,9 +303,9 @@ public:
 	void DeleteTimer(double t);
 	// Sets the root of the analyzer tree as well as the primary PIA.
-	void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia);
+	void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, zeek::analyzer::pia::PIA* pia);
 	zeek::analyzer::TransportLayerAnalyzer* GetRootAnalyzer()	{ return root_analyzer; }
-	::analyzer::pia::PIA* GetPrimaryPIA()	{ return primary_PIA; }
+	zeek::analyzer::pia::PIA* GetPrimaryPIA()	{ return primary_PIA; }
 	// Sets the transport protocol in use.
 	void SetTransport(TransportProto arg_proto)	{ proto = arg_proto; }
@ -346,7 +346,7 @@ protected:
 	zeek::detail::ConnIDKey key;
 	bool key_valid;
-	timer_list timers;
+	TimerPList timers;
 	zeek::IPAddr orig_addr;
 	zeek::IPAddr resp_addr;
@ -382,7 +382,7 @@ protected:
 	uint32_t hist_seen;
 	zeek::analyzer::TransportLayerAnalyzer* root_analyzer;
-	::analyzer::pia::PIA* primary_PIA;
+	zeek::analyzer::pia::PIA* primary_PIA;
 	zeek::UID uid;	// Globally unique connection ID.
 	zeek::detail::WeirdStateMap weird_state;
--- a/src/DFA.cc
+++ b/src/DFA.cc
@ -284,9 +284,9 @@ void DFA_State::Stats(unsigned int* computed, unsigned int* uncomputed)
 unsigned int DFA_State::Size()
 	{
 	return sizeof(*this)
-		+ pad_size(sizeof(DFA_State*) * num_sym)
+		+ zeek::util::pad_size(sizeof(DFA_State*) * num_sym)
-		+ (accept ? pad_size(sizeof(int) * accept->size()) : 0)
+		+ (accept ? zeek::util::pad_size(sizeof(int) * accept->size()) : 0)
-		+ (nfa_states ? pad_size(sizeof(NFA_State*) * nfa_states->length()) : 0)
+		+ (nfa_states ? zeek::util::pad_size(sizeof(NFA_State*) * nfa_states->length()) : 0)
 		+ (meta_ec ? meta_ec->Size() : 0);
 	}
@ -373,7 +373,7 @@ void DFA_State_Cache::GetStats(Stats* s)
 		++s->dfa_states;
 		s->nfa_states += e->NFAStateNum();
 		e->Stats(&s->computed, &s->uncomputed);
-		s->mem += pad_size(e->Size()) + padded_sizeof(*e);
+		s->mem += zeek::util::pad_size(e->Size()) + padded_sizeof(*e);
 		}
 	}
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -34,7 +34,7 @@
 #include "ZeekString.h"
 #include "Expr.h"
 #include "Event.h"
-#include "Net.h"
+#include "RunState.h"
 #include "Val.h"
 #include "NetVar.h"
 #include "ID.h"
@ -58,7 +58,7 @@ namespace zeek::detail {
 class DNS_Mgr_Request {
 public:
 	DNS_Mgr_Request(const char* h, int af, bool is_txt)
-	    : host(copy_string(h)), fam(af), qtype(is_txt ? 16 : 0), addr(),
+	    : host(zeek::util::copy_string(h)), fam(af), qtype(is_txt ? 16 : 0), addr(),
 	      request_pending()
 		{ }
@ -140,7 +140,7 @@ public:
 		if ( req_host && num_addrs == 0)
 			return false; // nothing to expire
-		return current_time() > (creation_time + req_ttl);
+		return zeek::util::current_time() > (creation_time + req_ttl);
 		}
 	int Type() const { return map_type; }
@ -187,11 +187,11 @@ static zeek::TableValPtr empty_addr_set()
 DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h, uint32_t ttl)
 	{
 	Init(h);
-	req_host = copy_string(host);
+	req_host = zeek::util::copy_string(host);
 	req_ttl = ttl;
 	if ( names && ! names[0] )
-		names[0] = copy_string(host);
+		names[0] = zeek::util::copy_string(host);
 	}
 DNS_Mapping::DNS_Mapping(const zeek::IPAddr& addr, struct hostent* h, uint32_t ttl)
@ -231,13 +231,13 @@ DNS_Mapping::DNS_Mapping(FILE* f)
 	failed = static_cast<bool>(failed_local);
 	if ( is_req_host )
-		req_host = copy_string(req_buf);
+		req_host = zeek::util::copy_string(req_buf);
 	else
 		req_addr = zeek::IPAddr(req_buf);
 	num_names = 1;
 	names = new char*[num_names];
-	names[0] = copy_string(name_buf);
+	names[0] = zeek::util::copy_string(name_buf);
 	if ( num_addrs > 0 )
 		{
@ -318,7 +318,7 @@ void DNS_Mapping::Init(struct hostent* h)
 	{
 	no_mapping = false;
 	init_failed = false;
-	creation_time = current_time();
+	creation_time = zeek::util::current_time();
 	host_val = nullptr;
 	addrs_val = nullptr;
@ -331,7 +331,7 @@ void DNS_Mapping::Init(struct hostent* h)
 	map_type = h->h_addrtype;
 	num_names = 1;	// for now, just use official name
 	names = new char*[num_names];
-	names[0] = h->h_name ? copy_string(h->h_name) : nullptr;
+	names[0] = h->h_name ? zeek::util::copy_string(h->h_name) : nullptr;
 	for ( num_addrs = 0; h->h_addr_list[num_addrs]; ++num_addrs )
 		;
@ -411,7 +411,7 @@ void DNS_Mgr::InitSource()
 	// script-layer option to configure the DNS resolver as it may not be
 	// configured to the user's desired address at the time when we need to to
 	// the lookup.
-	auto dns_resolver = zeekenv("ZEEK_DNS_RESOLVER");
+	auto dns_resolver = zeek::util::zeekenv("ZEEK_DNS_RESOLVER");
 	auto dns_resolver_addr = dns_resolver ? zeek::IPAddr(dns_resolver) : zeek::IPAddr();
 	char err[NB_DNS_ERRSIZE];
@ -439,7 +439,7 @@ void DNS_Mgr::InitSource()
 	if ( nb_dns )
 		{
-		if ( ! iosource_mgr->RegisterFd(nb_dns_fd(nb_dns), this) )
+		if ( ! zeek::iosource_mgr->RegisterFd(nb_dns_fd(nb_dns), this) )
 			zeek::reporter->FatalError("Failed to register nb_dns file descriptor with iosource_mgr");
 		}
 	else
@ -455,7 +455,7 @@ void DNS_Mgr::InitPostScript()
 	dm_rec = zeek::id::find_type<zeek::RecordType>("dns_mapping");
 	// Registering will call Init()
-	iosource_mgr->Register(this, true);
+	zeek::iosource_mgr->Register(this, true);
 	const char* cache_dir = dir ? dir : ".";
 	cache_name = new char[strlen(cache_dir) + 64];
@ -1204,7 +1204,7 @@ void DNS_Mgr::IssueAsyncRequests()
 			continue;
 			}
-		req->time = current_time();
+		req->time = zeek::util::current_time();
 		asyncs_timeouts.push(req);
 		++asyncs_pending;
@ -1338,7 +1338,7 @@ double DNS_Mgr::GetNextTimeout()
 	if ( asyncs_timeouts.empty() )
 		return -1;
-	return network_time + DNS_TIMEOUT;
+	return zeek::run_state::network_time + DNS_TIMEOUT;
 	}
 void DNS_Mgr::Process()
@ -1350,7 +1350,7 @@ void DNS_Mgr::Process()
 		{
 		AsyncRequest* req = asyncs_timeouts.top();
-		if ( req->time + DNS_TIMEOUT > current_time() && ! terminating )
+		if ( req->time + DNS_TIMEOUT > zeek::util::current_time() && ! zeek::run_state::terminating )
 			break;
 		if ( ! req->processed )
@ -1462,7 +1462,7 @@ void DNS_Mgr::GetStats(Stats* stats)
 void DNS_Mgr::Terminate()
 	{
 	if ( nb_dns )
-		iosource_mgr->UnregisterFd(nb_dns_fd(nb_dns), this);
+		zeek::iosource_mgr->UnregisterFd(nb_dns_fd(nb_dns), this);
 	}
 } // namespace zeek::detail
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@ -47,7 +47,7 @@ enum DNS_MgrMode {
 // Number of seconds we'll wait for a reply.
 #define DNS_TIMEOUT 5
-class DNS_Mgr final : public iosource::IOSource {
+class DNS_Mgr final : public zeek::iosource::IOSource {
 public:
 	explicit DNS_Mgr(DNS_MgrMode mode);
 	~DNS_Mgr() override;
@ -62,7 +62,7 @@ public:
 	zeek::ValPtr LookupAddr(const zeek::IPAddr& addr);
 	// Define the directory where to store the data.
-	void SetDir(const char* arg_dir)	{ dir = copy_string(arg_dir); }
+	void SetDir(const char* arg_dir)	{ dir = zeek::util::copy_string(arg_dir); }
 	void Verify();
 	void Resolve();
--- a/src/Debug.cc
+++ b/src/Debug.cc
@ -119,7 +119,7 @@ FILE* TraceState::SetTraceFile(const char* filename)
 	{
 	FILE* newfile;
-	if ( streq(filename, "-") )
+	if ( zeek::util::streq(filename, "-") )
 		newfile = stderr;
 	else
 		newfile = fopen(filename, "w");
@ -158,7 +158,7 @@ int TraceState::LogTrace(const char* fmt, ...)
 	va_start(args, fmt);
 	// Prefix includes timestamp and file/line info.
-	fprintf(trace_file, "%.6f ", network_time);
+	fprintf(trace_file, "%.6f ", zeek::run_state::network_time);
 	const zeek::detail::Stmt* stmt;
 	zeek::detail::Location loc;
@ -179,7 +179,7 @@ int TraceState::LogTrace(const char* fmt, ...)
 	if ( ! loc.filename )
 		{
-		loc.filename = copy_string("<no filename>");
+		loc.filename = zeek::util::copy_string("<no filename>");
 		loc.last_line = 0;
 		}
@ -377,7 +377,7 @@ vector<ParseLocationRec> parse_location_string(const string& s)
 			if ( ! sscanf(line_string.c_str(), "%d", &plr.line) )
 				plr.type = PLR_UNKNOWN;
-			string path(find_script_file(filename, bro_path()));
+			string path(zeek::util::find_script_file(filename, zeek::util::zeek_path()));
 			if ( path.empty() )
 				{
@ -555,7 +555,7 @@ int dbg_execute_command(const char* cmd)
 	if ( ! cmd )
 		return 0;
-	if ( streq(cmd, "") ) // do the GDB command completion
+	if ( zeek::util::streq(cmd, "") ) // do the GDB command completion
 		{
 #ifdef HAVE_READLINE
 		int i;
@ -581,7 +581,7 @@ int dbg_execute_command(const char* cmd)
 			return 0;
 		}
-	char* localcmd = copy_string(cmd);
+	char* localcmd = zeek::util::copy_string(cmd);
 	string opstring;
 	vector<string> arguments;
@ -768,7 +768,7 @@ string get_context_description(const zeek::detail::Stmt* stmt, const zeek::detai
 		loc = *stmt->GetLocationInfo();
 	else
 		{
-		loc.filename = copy_string("<no filename>");
+		loc.filename = zeek::util::copy_string("<no filename>");
 		loc.last_line = 0;
 		}
@ -831,7 +831,7 @@ int dbg_handle_debug_input()
 		// readline uses malloc, and we want to be consistent
 		// with it.
-		input_line = (char*) safe_malloc(1024);
+		input_line = (char*) zeek::util::safe_malloc(1024);
 		input_line[1023] = 0;
 		// ### Maybe it's not always stdin.
 		input_line = fgets(input_line, 1023, stdin);
@ -930,7 +930,7 @@ bool pre_execute_stmt(zeek::detail::Stmt* stmt, zeek::detail::Frame* f)
 	return true;
 	}
-bool post_execute_stmt(zeek::detail::Stmt* stmt, zeek::detail::Frame* f, zeek::Val* result, stmt_flow_type* flow)
+bool post_execute_stmt(zeek::detail::Stmt* stmt, zeek::detail::Frame* f, zeek::Val* result, zeek::detail::StmtFlowType* flow)
 	{
 	// Handle the case where someone issues a "next" debugger command,
 	// but we're at a return statement, so the next statement is in
--- a/src/Debug.h
+++ b/src/Debug.h
@ -148,7 +148,7 @@ std::vector<ParseLocationRec> parse_location_string(const std::string& s);
 // Return true to continue execution, false to abort.
 bool pre_execute_stmt(zeek::detail::Stmt* stmt, zeek::detail::Frame* f);
-bool post_execute_stmt(zeek::detail::Stmt* stmt, zeek::detail::Frame* f, zeek::Val* result, stmt_flow_type* flow);
+bool post_execute_stmt(zeek::detail::Stmt* stmt, zeek::detail::Frame* f, zeek::Val* result, StmtFlowType* flow);
 // Returns 1 if successful, 0 otherwise.
 // If cmdfile is non-nil, it contains the location of a file of commands
--- a/src/DebugCmds.cc
+++ b/src/DebugCmds.cc
@ -37,7 +37,7 @@ static bool string_is_regex(const string& s)
 static void lookup_global_symbols_regex(const string& orig_regex, vector<zeek::detail::ID*>& matches,
                                        bool func_only = false)
 	{
-	if ( streq(orig_regex.c_str(), "") )
+	if ( zeek::util::streq(orig_regex.c_str(), "") )
 		return;
 	string regex = "^";
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@ -4,7 +4,7 @@
 #include <unistd.h>
 #include "DebugLogger.h"
-#include "Net.h"
+#include "RunState.h"
 #include "plugin/Plugin.h"
 zeek::detail::DebugLogger zeek::detail::debug_logger;
@ -49,7 +49,7 @@ void DebugLogger::OpenDebugLog(const char* filename)
 	{
 	if ( filename )
 		{
-		filename = log_file_name(filename);
+		filename = zeek::util::detail::log_file_name(filename);
 		file = fopen(filename, "w");
 		if ( ! file )
@ -93,7 +93,7 @@ void DebugLogger::ShowStreamsHelp()
 void DebugLogger::EnableStreams(const char* s)
 	{
 	char* brkt;
-	char* tmp = copy_string(s);
+	char* tmp = zeek::util::copy_string(s);
 	char* tok = strtok(tmp, ",");
 	while ( tok )
@ -159,7 +159,7 @@ void DebugLogger::Log(DebugStream stream, const char* fmt, ...)
 		return;
 	fprintf(file, "%17.06f/%17.06f [%s] ",
-			network_time, current_time(true), g->prefix);
+			zeek::run_state::network_time, zeek::util::current_time(true), g->prefix);
 	for ( int i = g->indent; i > 0; --i )
 		fputs("   ", file);
@ -176,13 +176,13 @@ void DebugLogger::Log(DebugStream stream, const char* fmt, ...)
 void DebugLogger::Log(const zeek::plugin::Plugin& plugin, const char* fmt, ...)
 	{
 	std::string tok = std::string("plugin-") + plugin.Name();
-	tok = strreplace(tok, "::", "-");
+	tok = zeek::util::strreplace(tok, "::", "-");
 	if ( enabled_streams.find(tok) == enabled_streams.end() )
 		return;
 	fprintf(file, "%17.06f/%17.06f [plugin %s] ",
-			network_time, current_time(true), plugin.Name().c_str());
+			zeek::run_state::network_time, zeek::util::current_time(true), plugin.Name().c_str());
 	va_list ap;
 	va_start(ap, fmt);
--- a/src/Desc.cc
+++ b/src/Desc.cc
@ -27,7 +27,7 @@ ODesc::ODesc(desc_type t, zeek::File* arg_f)
 	if ( f == nullptr )
 		{
 		size = DEFAULT_SIZE;
-		base = safe_malloc(size);
+		base = zeek::util::safe_malloc(size);
 		((char*) base)[0] = '\0';
 		offset = 0;
 		}
@ -335,7 +335,7 @@ void ODesc::AddBytes(const void* bytes, unsigned int n)
 		if ( p.first )
 			{
 			AddBytesRaw(s, p.first - s);
-			get_escaped_string(this, p.first, p.second, true);
+			zeek::util::get_escaped_string(this, p.first, p.second, true);
 			s = p.first + p.second;
 			}
 		else
@ -388,7 +388,7 @@ void ODesc::Grow(unsigned int n)
 	while ( offset + n + SLOP >= size )
 		size *= 2;
-	base = safe_realloc(base, size);
+	base = zeek::util::safe_realloc(base, size);
 	}
 void ODesc::Clear()
@ -400,7 +400,7 @@ void ODesc::Clear()
 		{
 		free(base);
 		size = DEFAULT_SIZE;
-		base = safe_malloc(size);
+		base = zeek::util::safe_malloc(size);
 		((char*) base)[0] = '\0';
 		}
 	}
--- a/src/Dict.cc
+++ b/src/Dict.cc
@ -418,14 +418,14 @@ size_t Dictionary::MemoryAllocation() const
 	size_t size = padded_sizeof(*this);
 	if ( table )
 		{
-		size += pad_size(Capacity() * sizeof(detail::DictEntry));
+		size += zeek::util::pad_size(Capacity() * sizeof(detail::DictEntry));
 		for ( int i = Capacity()-1; i>=0; i-- )
 			if ( ! table[i].Empty() && table[i].key_size > 8 )
-				size += pad_size(table[i].key_size);
+				size += zeek::util::pad_size(table[i].key_size);
 		}
 	if ( order )
-		size += padded_sizeof(std::vector<detail::DictEntry>) + pad_size(sizeof(detail::DictEntry) * order->capacity());
+		size += padded_sizeof(std::vector<detail::DictEntry>) + zeek::util::pad_size(sizeof(detail::DictEntry) * order->capacity());
 	return size;
 	}
@ -507,7 +507,7 @@ void Dictionary::Dump(int level) const
 		{
 		if ( table[i].Empty() )
 			continue;
-		key_size += pad_size(table[i].key_size);
+		key_size += zeek::util::pad_size(table[i].key_size);
 		if ( ! table[i].value )
 			continue;
 		}
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -7,7 +7,7 @@
 #include <algorithm>
 #include "ZeekString.h"
-#include "Net.h"
+#include "RunState.h"
 #include "Func.h"
 #include "Var.h"
 #include "Val.h"
--- a/src/EquivClass.cc
+++ b/src/EquivClass.cc
@ -4,6 +4,7 @@
 #include "EquivClass.h"
 #include "CCL.h"
 #include "util.h"
 namespace zeek::detail {
@ -188,7 +189,7 @@ void EquivClass::Dump(FILE* f)
 int EquivClass::Size() const
 	{
-	return padded_sizeof(*this) + pad_size(sizeof(int) * size * (ccl_flags ? 5 : 4));
+	return padded_sizeof(*this) + zeek::util::pad_size(sizeof(int) * size * (ccl_flags ? 5 : 4));
 	}
 } // namespace zeek::detail
--- a/src/Event.cc
+++ b/src/Event.cc
@ -11,7 +11,7 @@
 #include "plugin/Manager.h"
 #include "iosource/Manager.h"
 #include "iosource/PktSrc.h"
-#include "Net.h"
+#include "RunState.h"
 zeek::EventMgr zeek::event_mgr;
 zeek::EventMgr& mgr = zeek::event_mgr;
@ -19,7 +19,8 @@ zeek::EventMgr& mgr = zeek::event_mgr;
 namespace zeek {
 Event::Event(EventHandlerPtr arg_handler, zeek::Args arg_args,
-             SourceID arg_src, zeek::analyzer::ID arg_aid, Obj* arg_obj)
+             zeek::util::detail::SourceID arg_src, zeek::analyzer::ID arg_aid,
             Obj* arg_obj)
 	: handler(arg_handler),
 	  args(std::move(arg_args)),
 	  src(arg_src),
@ -48,7 +49,7 @@ void Event::Describe(ODesc* d) const
 void Event::Dispatch(bool no_remote)
 	{
-	if ( src == SOURCE_BROKER )
+	if ( src == zeek::util::detail::SOURCE_BROKER )
 		no_remote = true;
 	if ( handler->ErrorHandler() )
@ -75,7 +76,7 @@ void Event::Dispatch(bool no_remote)
 EventMgr::EventMgr()
 	{
 	head = tail = nullptr;
-	current_src = SOURCE_LOCAL;
+	current_src = zeek::util::detail::SOURCE_LOCAL;
 	current_aid = 0;
 	src_val = nullptr;
 	draining = false;
@ -93,15 +94,15 @@ EventMgr::~EventMgr()
 	Unref(src_val);
 	}
-void EventMgr::QueueEventFast(const EventHandlerPtr &h, val_list vl,
+void EventMgr::QueueEventFast(const EventHandlerPtr &h, ValPList vl,
-                              SourceID src, analyzer::ID aid, zeek::detail::TimerMgr* mgr,
+                              zeek::util::detail::SourceID src, analyzer::ID aid, zeek::detail::TimerMgr* mgr,
                              Obj* obj)
 	{
 	QueueEvent(new Event(h, zeek::val_list_to_args(vl), src, aid, obj));
 	}
-void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list vl,
+void EventMgr::QueueEvent(const EventHandlerPtr &h, ValPList vl,
-                          SourceID src, analyzer::ID aid,
+                          zeek::util::detail::SourceID src, analyzer::ID aid,
                          zeek::detail::TimerMgr* mgr, Obj* obj)
 	{
 	auto args = zeek::val_list_to_args(vl);
@ -110,8 +111,8 @@ void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list vl,
 		Enqueue(h, std::move(args), src, aid, obj);
 	}
-void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list* vl,
+void EventMgr::QueueEvent(const EventHandlerPtr &h, ValPList* vl,
-                          SourceID src, analyzer::ID aid,
+                          zeek::util::detail::SourceID src, analyzer::ID aid,
                          zeek::detail::TimerMgr* mgr, Obj* obj)
 	{
 	auto args = zeek::val_list_to_args(*vl);
@ -122,7 +123,8 @@ void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list* vl,
 	}
 void EventMgr::Enqueue(const EventHandlerPtr& h, zeek::Args vl,
-                       SourceID src, zeek::analyzer::ID aid, Obj* obj)
+                       zeek::util::detail::SourceID src,
                       zeek::analyzer::ID aid, Obj* obj)
 	{
 	QueueEvent(new Event(h, std::move(vl), src, aid, obj));
 	}
@ -199,7 +201,7 @@ void EventMgr::Drain()
 	// Make sure all of the triggers get processed every time the events
 	// drain.
-	trigger_mgr->Process();
+	zeek::detail::trigger_mgr->Process();
 	}
 void EventMgr::Describe(ODesc* d) const
@ -223,9 +225,9 @@ void EventMgr::Process()
 	// If we don't have a source, or the source is closed, or we're
 	// reading live (which includes pseudo-realtime), advance the time
 	// here to the current time since otherwise it won't move forward.
-	iosource::PktSrc* pkt_src = iosource_mgr->GetPktSrc();
+	zeek::iosource::PktSrc* pkt_src = zeek::iosource_mgr->GetPktSrc();
-	if ( ! pkt_src || ! pkt_src->IsOpen() || reading_live )
+	if ( ! pkt_src || ! pkt_src->IsOpen() || zeek::run_state::reading_live )
-		net_update_time(current_time());
+		zeek::run_state::detail::update_network_time(zeek::util::current_time());
 	queue_flare.Extinguish();
@ -233,16 +235,16 @@ void EventMgr::Process()
 	// to call Drain() as part of this method. It will get called at
 	// the end of net_run after all of the sources have been processed
 	// and had the opportunity to spawn new events. We could use
-	// iosource_mgr->Wakeup() instead of making EventMgr an IOSource,
+	// zeek::iosource_mgr->Wakeup() instead of making EventMgr an IOSource,
 	// but then we couldn't update the time above and nothing would
 	// drive it forward.
 	}
 void EventMgr::InitPostScript()
 	{
-	iosource_mgr->Register(this, true, false);
+	zeek::iosource_mgr->Register(this, true, false);
-	if ( ! iosource_mgr->RegisterFd(queue_flare.FD(), this) )
+	if ( ! zeek::iosource_mgr->RegisterFd(queue_flare.FD(), this) )
-		zeek::reporter->FatalError("Failed to register event manager FD with iosource_mgr");
+		zeek::reporter->FatalError("Failed to register event manager FD with zeek::iosource_mgr");
 	}
 } // namespace zeek
--- a/src/Event.h
+++ b/src/Event.h
@ -2,7 +2,7 @@
 #pragma once
-#include "BroList.h"
+#include "ZeekList.h"
 #include "analyzer/Analyzer.h"
 #include "iosource/IOSource.h"
 #include "Flare.h"
@ -19,13 +19,13 @@ namespace zeek {
 class Event final : public zeek::Obj {
 public:
 	Event(EventHandlerPtr handler, zeek::Args args,
-	      SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
+	      zeek::util::detail::SourceID src = zeek::util::detail::SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
 	      zeek::Obj* obj = nullptr);
 	void SetNext(Event* n)		{ next_event = n; }
 	Event* NextEvent() const	{ return next_event; }
-	SourceID Source() const		{ return src; }
+	zeek::util::detail::SourceID Source() const		{ return src; }
 	zeek::analyzer::ID Analyzer() const	{ return aid; }
 	EventHandlerPtr Handler() const	{ return handler; }
 	const zeek::Args& Args() const	{ return args; }
@ -41,7 +41,7 @@ protected:
 	EventHandlerPtr handler;
 	zeek::Args args;
-	SourceID src;
+	zeek::util::detail::SourceID src;
 	zeek::analyzer::ID aid;
 	zeek::Obj* obj;
 	Event* next_event;
@ -61,8 +61,8 @@ public:
 	// because it would be a waste of effort to construct all the event
 	// arguments when there's no handlers to consume them).
 	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
-	void QueueEventFast(const EventHandlerPtr &h, val_list vl,
+	void QueueEventFast(const EventHandlerPtr &h, ValPList vl,
-	                    SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
+	                    zeek::util::detail::SourceID src = zeek::util::detail::SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
 	                    zeek::detail::TimerMgr* mgr = nullptr, zeek::Obj* obj = nullptr);
 	// Queues an event if there's an event handler (or remote consumer).  This
@ -72,8 +72,8 @@ public:
 	// QueueEventFast() instead of this function to prevent the redundant
 	// existence check.
 	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
-	void QueueEvent(const EventHandlerPtr &h, val_list vl,
+	void QueueEvent(const EventHandlerPtr &h, ValPList vl,
-	                SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
+	                zeek::util::detail::SourceID src = zeek::util::detail::SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
 	                zeek::detail::TimerMgr* mgr = nullptr, zeek::Obj* obj = nullptr);
 	// Same as QueueEvent, except taking the event's argument list via a
@ -81,8 +81,8 @@ public:
 	// memory pointed to by 'vl' as well as decrementing the reference count of
 	// each of its elements.
 	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
-	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
+	void QueueEvent(const EventHandlerPtr &h, ValPList* vl,
-	                SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
+	                zeek::util::detail::SourceID src = zeek::util::detail::SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
 	                zeek::detail::TimerMgr* mgr = nullptr, zeek::Obj* obj = nullptr);
 	/**
@ -98,7 +98,7 @@ public:
 	 * reference to until dispatching the event.
 	 */
 	void Enqueue(const EventHandlerPtr& h, zeek::Args vl,
-	             SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
+	             zeek::util::detail::SourceID src = zeek::util::detail::SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
 	             zeek::Obj* obj = nullptr);
 	/**
@ -119,7 +119,7 @@ public:
 	bool HasEvents() const	{ return head != nullptr; }
 	// Returns the source ID of last raised event.
-	SourceID CurrentSource() const	{ return current_src; }
+	zeek::util::detail::SourceID CurrentSource() const	{ return current_src; }
 	// Returns the ID of the analyzer which raised the last event, or 0 if
 	// non-analyzer event.
@ -143,7 +143,7 @@ protected:
 	Event* head;
 	Event* tail;
-	SourceID current_src;
+	zeek::util::detail::SourceID current_src;
 	zeek::analyzer::ID current_aid;
 	zeek::RecordVal* src_val;
 	bool draining;
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@ -72,7 +72,7 @@ void EventHandler::Call(zeek::Args* vl, bool no_remote)
 			for ( auto i = 0u; i < vl->size(); ++i )
 				{
-				auto opt_data = bro_broker::val_to_data((*vl)[i].get());
+				auto opt_data = zeek::Broker::detail::val_to_data((*vl)[i].get());
 				if ( opt_data )
 					xs.emplace_back(std::move(*opt_data));
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@ -2,7 +2,7 @@
 #pragma once
-#include "BroList.h"
+#include "ZeekList.h"
 #include "ZeekArgs.h"
 #include "Type.h"
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -11,7 +11,7 @@
 #include "Scope.h"
 #include "Stmt.h"
 #include "EventRegistry.h"
-#include "Net.h"
+#include "RunState.h"
 #include "Traverse.h"
 #include "Trigger.h"
 #include "IPAddr.h"
@ -1265,8 +1265,8 @@ AddToExpr::AddToExpr(ExprPtr arg_op1, ExprPtr arg_op2)
 			}
 		else if ( bt1 != bt2 && bt1 != zeek::TYPE_ANY )
-			ExprError(fmt("incompatible vector append: %s and %s",
+			ExprError(zeek::util::fmt("incompatible vector append: %s and %s",
-					  type_name(bt1), type_name(bt2)));
+			                          type_name(bt1), type_name(bt2)));
 		else
 			SetType(op1->GetType());
@ -1487,12 +1487,12 @@ ValPtr DivideExpr::AddrFold(Val* v1, Val* v2) const
 	if ( a.GetFamily() == IPv4 )
 		{
 		if ( mask > 32 )
-			RuntimeError(fmt("bad IPv4 subnet prefix length: %" PRIu32, mask));
+			RuntimeError(zeek::util::fmt("bad IPv4 subnet prefix length: %" PRIu32, mask));
 		}
 	else
 		{
 		if ( mask > 128 )
-			RuntimeError(fmt("bad IPv6 subnet prefix length: %" PRIu32, mask));
+			RuntimeError(zeek::util::fmt("bad IPv6 subnet prefix length: %" PRIu32, mask));
 		}
 	return zeek::make_intrusive<zeek::SubNetVal>(a, mask);
@ -2249,8 +2249,8 @@ bool AssignExpr::TypeCheckArithmetics(TypeTag bt1, TypeTag bt2)
 	{
 	if ( ! IsArithmetic(bt2) )
 		{
-		ExprError(fmt("assignment of non-arithmetic value to arithmetic (%s/%s)",
+		ExprError(zeek::util::fmt("assignment of non-arithmetic value to arithmetic (%s/%s)",
-				type_name(bt1), type_name(bt2)));
+		                          type_name(bt1), type_name(bt2)));
 		return false;
 		}
@ -2459,7 +2459,7 @@ bool AssignExpr::IsRecordElement(TypeDecl* td) const
 			{
 			const NameExpr* n = (const NameExpr*) op1.get();
 			td->type = op2->GetType();
-			td->id = copy_string(n->Id()->Name());
+			td->id = zeek::util::copy_string(n->Id()->Name());
 			}
 		return true;
@ -2519,8 +2519,8 @@ IndexExpr::IndexExpr(ExprPtr arg_op1, ListExprPtr arg_op2, bool arg_is_slice)
 	if ( match_type == DOES_NOT_MATCH_INDEX )
 		{
 		std::string error_msg =
-		    fmt("expression with type '%s' is not a type that can be indexed",
+		    zeek::util::fmt("expression with type '%s' is not a type that can be indexed",
-		        type_name(op1->GetType()->Tag()));
+		                    type_name(op1->GetType()->Tag()));
 		SetError(error_msg.data());
 		}
@ -2806,7 +2806,7 @@ void IndexExpr::Assign(Frame* f, ValPtr v)
 				const auto& vt = v->GetType();
 				auto vtt = vt->Tag();
 				std::string tn = vtt == zeek::TYPE_RECORD ? vt->GetName() : type_name(vtt);
-				RuntimeErrorWithCallStack(fmt(
+				RuntimeErrorWithCallStack(zeek::util::fmt(
 				  "vector index assignment failed for invalid type '%s', value: %s",
 				  tn.data(), d.Description()));
 				}
@ -2828,7 +2828,7 @@ void IndexExpr::Assign(Frame* f, ValPtr v)
 				const auto& vt = v->GetType();
 				auto vtt = vt->Tag();
 				std::string tn = vtt == zeek::TYPE_RECORD ? vt->GetName() : type_name(vtt);
-				RuntimeErrorWithCallStack(fmt(
+				RuntimeErrorWithCallStack(zeek::util::fmt(
 				  "table index assignment failed for invalid type '%s', value: %s",
 				  tn.data(), d.Description()));
 				}
@ -2875,7 +2875,7 @@ TraversalCode IndexExpr::Traverse(TraversalCallback* cb) const
 FieldExpr::FieldExpr(ExprPtr arg_op, const char* arg_field_name)
 	: UnaryExpr(EXPR_FIELD, std::move(arg_op)),
-	  field_name(copy_string(arg_field_name)), td(nullptr), field(0)
+	  field_name(zeek::util::copy_string(arg_field_name)), td(nullptr), field(0)
 	{
 	if ( IsError() )
 		return;
@ -3022,7 +3022,7 @@ RecordConstructorExpr::RecordConstructorExpr(ListExprPtr constructor_list)
 	// Spin through the list, which should be comprised only of
 	// record-field-assign expressions, and build up a
 	// record type to associate with this constructor.
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	type_decl_list* record_types = new type_decl_list(exprs.length());
 	for ( const auto& e : exprs )
@ -3036,7 +3036,7 @@ RecordConstructorExpr::RecordConstructorExpr(ListExprPtr constructor_list)
 		FieldAssignExpr* field = (FieldAssignExpr*) e;
 		const auto& field_type = field->GetType();
-		char* field_name = copy_string(field->FieldName());
+		char* field_name = zeek::util::copy_string(field->FieldName());
 		record_types->push_back(new TypeDecl(field_name, field_type));
 		}
@ -3130,7 +3130,7 @@ TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
 		attrs = zeek::make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
 	const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
-	const expr_list& cle = op->AsListExpr()->Exprs();
+	const ExprPList& cle = op->AsListExpr()->Exprs();
 	// check and promote all index expressions in ctor list
 	for ( const auto& expr : cle )
@ -3143,7 +3143,7 @@ TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
 		if ( idx_expr->Tag() != EXPR_LIST )
 			continue;
-		expr_list& idx_exprs = idx_expr->AsListExpr()->Exprs();
+		ExprPList& idx_exprs = idx_expr->AsListExpr()->Exprs();
 		if ( idx_exprs.length() != static_cast<int>(indices.size()) )
 			continue;
@ -3176,7 +3176,7 @@ ValPtr TableConstructorExpr::Eval(Frame* f) const
 		return nullptr;
 	auto aggr = zeek::make_intrusive<zeek::TableVal>(GetType<TableType>(), attrs);
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	for ( const auto& expr : exprs )
 		expr->EvalIntoAggregate(type.get(), aggr.get(), f);
@ -3196,7 +3196,7 @@ ValPtr TableConstructorExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 	auto tval = aggr ?
 	        TableValPtr{zeek::AdoptRef{}, aggr.release()->AsTableVal()} :
 	zeek::make_intrusive<zeek::TableVal>(std::move(tt), attrs);
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	for ( const auto& expr : exprs )
 		expr->EvalIntoAggregate(t, tval.get(), nullptr);
@ -3248,7 +3248,7 @@ SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
 		attrs = zeek::make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
 	const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
-	expr_list& cle = op->AsListExpr()->Exprs();
+	ExprPList& cle = op->AsListExpr()->Exprs();
 	if ( indices.size() == 1 )
 		{
@ -3286,7 +3286,7 @@ ValPtr SetConstructorExpr::Eval(Frame* f) const
 	auto aggr = zeek::make_intrusive<zeek::TableVal>(IntrusivePtr{zeek::NewRef{}, type->AsTableType()},
 	                                     attrs);
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	for ( const auto& expr : exprs )
 		{
@ -3307,7 +3307,7 @@ ValPtr SetConstructorExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 	auto tval = aggr ?
 	        TableValPtr{zeek::AdoptRef{}, aggr.release()->AsTableVal()} :
 	zeek::make_intrusive<zeek::TableVal>(std::move(tt), attrs);
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	for ( const auto& e : exprs )
 		{
@ -3315,7 +3315,7 @@ ValPtr SetConstructorExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 		if ( ! element || ! tval->Assign(std::move(element), nullptr) )
 			{
-			Error(fmt("initialization type mismatch in set"), e);
+			Error(zeek::util::fmt("initialization type mismatch in set"), e);
 			return nullptr;
 			}
 		}
@ -3379,7 +3379,7 @@ ValPtr VectorConstructorExpr::Eval(Frame* f) const
 		return nullptr;
 	auto vec = zeek::make_intrusive<zeek::VectorVal>(GetType<zeek::VectorType>());
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	loop_over_list(exprs, i)
 		{
@ -3387,7 +3387,7 @@ ValPtr VectorConstructorExpr::Eval(Frame* f) const
 		if ( ! vec->Assign(i, e->Eval(f)) )
 			{
-			RuntimeError(fmt("type mismatch at index %d", i));
+			RuntimeError(zeek::util::fmt("type mismatch at index %d", i));
 			return nullptr;
 			}
 		}
@ -3404,7 +3404,7 @@ ValPtr VectorConstructorExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 	auto vec = aggr ?
 	        VectorValPtr{zeek::AdoptRef{}, aggr.release()->AsVectorVal()} :
 	zeek::make_intrusive<zeek::VectorVal>(std::move(vt));
-	const expr_list& exprs = op->AsListExpr()->Exprs();
+	const ExprPList& exprs = op->AsListExpr()->Exprs();
 	loop_over_list(exprs, i)
 		{
@ -3413,7 +3413,7 @@ ValPtr VectorConstructorExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 		if ( ! v || ! vec->Assign(i, std::move(v)) )
 			{
-			Error(fmt("initialization type mismatch at index %d", i), e);
+			Error(zeek::util::fmt("initialization type mismatch at index %d", i), e);
 			return nullptr;
 			}
 		}
@ -3460,7 +3460,7 @@ bool FieldAssignExpr::IsRecordElement(TypeDecl* td) const
 	if ( td )
 		{
 		td->type = op->GetType();
-		td->id = copy_string(field_name.c_str());
+		td->id = zeek::util::copy_string(field_name.c_str());
 		}
 	return true;
@ -3584,8 +3584,8 @@ RecordCoerceExpr::RecordCoerceExpr(ExprPtr arg_op, zeek::RecordTypePtr r)
 			int t_i = t_r->FieldOffset(sub_r->FieldName(i));
 			if ( t_i < 0 )
 				{
-				ExprError(fmt("orphaned field \"%s\" in record coercion",
+				ExprError(zeek::util::fmt("orphaned field \"%s\" in record coercion",
-				              sub_r->FieldName(i)));
+				                          sub_r->FieldName(i)));
 				break;
 				}
@ -3626,7 +3626,7 @@ RecordCoerceExpr::RecordCoerceExpr(ExprPtr arg_op, zeek::RecordTypePtr r)
 				if ( ! is_arithmetic_promotable(sup_t_i.get(), sub_t_i.get()) &&
 				     ! is_record_promotable(sup_t_i.get(), sub_t_i.get()) )
 					{
-					std::string error_msg = fmt(
+					std::string error_msg = zeek::util::fmt(
 						"type clash for field \"%s\"", sub_r->FieldName(i));
 					Error(error_msg.c_str(), sub_t_i.get());
 					SetError();
@ -3646,7 +3646,7 @@ RecordCoerceExpr::RecordCoerceExpr(ExprPtr arg_op, zeek::RecordTypePtr r)
 				{
 				if ( ! t_r->FieldDecl(i)->GetAttr(ATTR_OPTIONAL) )
 					{
-					std::string error_msg = fmt(
+					std::string error_msg = zeek::util::fmt(
 						"non-optional field \"%s\" missing", t_r->FieldName(i));
 					Error(error_msg.c_str());
 					SetError();
@ -3861,7 +3861,7 @@ bool ScheduleExpr::IsPure() const
 ValPtr ScheduleExpr::Eval(Frame* f) const
 	{
-	if ( terminating )
+	if ( zeek::run_state::terminating )
 		return nullptr;
 	auto when_val = when->Eval(f);
@ -3872,7 +3872,7 @@ ValPtr ScheduleExpr::Eval(Frame* f) const
 	double dt = when_val->InternalDouble();
 	if ( when->GetType()->Tag() == zeek::TYPE_INTERVAL )
-		dt += network_time;
+		dt += zeek::run_state::network_time;
 	auto args = eval_list(f, event->Args());
@ -4010,7 +4010,7 @@ ValPtr InExpr::Fold(Val* v1, Val* v2) const
 		// Could do better here e.g. Boyer-Moore if done repeatedly.
 		auto s = reinterpret_cast<const unsigned char*>(s1->CheckString());
-		auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
+		auto res = zeek::util::strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
 		return zeek::val_mgr->Bool(res);
 		}
@ -4096,7 +4096,7 @@ CallExpr::CallExpr(ExprPtr arg_func, ListExprPtr arg_args, bool in_hook)
 		     // run-time errors when we apply this analysis during
 		     // parsing.  Really we should instead do it after we've
 		     // parsed the entire set of scripts.
-		     streq(((NameExpr*) func.get())->Id()->Name(), "fmt") &&
+		     zeek::util::streq(((NameExpr*) func.get())->Id()->Name(), "fmt") &&
 		     // The following is needed because fmt might not yet
 		     // be bound as a name.
 		     did_builtin_init &&
@ -4210,7 +4210,7 @@ void CallExpr::ExprDescribe(ODesc* d) const
 	}
 LambdaExpr::LambdaExpr(std::unique_ptr<function_ingredients> arg_ing,
-                       id_list arg_outer_ids) : Expr(EXPR_LAMBDA)
+                       IDPList arg_outer_ids) : Expr(EXPR_LAMBDA)
 	{
 	ingredients = std::move(arg_ing);
 	outer_ids = std::move(arg_outer_ids);
@ -4594,7 +4594,7 @@ ValPtr ListExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 			if ( ! vec->Assign(i, e->Eval(nullptr)) )
 				{
-				e->Error(fmt("type mismatch at index %d", i));
+				e->Error(zeek::util::fmt("type mismatch at index %d", i));
 				return nullptr;
 				}
 			}
@ -4742,7 +4742,7 @@ TraversalCode ListExpr::Traverse(TraversalCallback* cb) const
 RecordAssignExpr::RecordAssignExpr(const ExprPtr& record,
                                   const ExprPtr& init_list, bool is_init)
 	{
-	const expr_list& inits = init_list->AsListExpr()->Exprs();
+	const ExprPList& inits = init_list->AsListExpr()->Exprs();
 	RecordType* lhs = record->GetType()->AsRecordType();
@ -4834,7 +4834,7 @@ ValPtr CastExpr::Eval(Frame* f) const
 	GetType()->Describe(&d);
 	d.Add("'");
-	if ( same_type(v->GetType(), bro_broker::DataVal::ScriptDataType()) &&
+	if ( same_type(v->GetType(), zeek::Broker::detail::DataVal::ScriptDataType()) &&
 		 ! v->AsRecordVal()->GetField(0) )
 		d.Add(" (nil $data field)");
@ -4968,7 +4968,7 @@ ExprPtr check_and_promote_expr(Expr* const e, zeek::Type* t)
 bool check_and_promote_exprs(ListExpr* const elements, TypeList* types)
 	{
-	expr_list& el = elements->Exprs();
+	ExprPList& el = elements->Exprs();
 	const auto& tl = types->GetTypes();
 	if ( tl.size() == 1 && tl[0]->Tag() == zeek::TYPE_ANY )
@ -5003,7 +5003,7 @@ bool check_and_promote_exprs(ListExpr* const elements, TypeList* types)
 bool check_and_promote_args(ListExpr* const args, RecordType* types)
 	{
-	expr_list& el = args->Exprs();
+	ExprPList& el = args->Exprs();
 	int ntypes = types->NumFields();
 	// give variadic BIFs automatic pass
@ -5012,7 +5012,7 @@ bool check_and_promote_args(ListExpr* const args, RecordType* types)
 	if ( el.length() < ntypes )
 		{
-		expr_list def_elements;
+		ExprPList def_elements;
 		// Start from rightmost parameter, work backward to fill in missing
 		// arguments using &default expressions.
@ -5047,7 +5047,7 @@ bool check_and_promote_args(ListExpr* const args, RecordType* types)
 bool check_and_promote_exprs_to_type(ListExpr* const elements, zeek::Type* type)
 	{
-	expr_list& el = elements->Exprs();
+	ExprPList& el = elements->Exprs();
 	if ( type->Tag() == zeek::TYPE_ANY )
 		return true;
@ -5075,7 +5075,7 @@ bool check_and_promote_exprs_to_type(ListExpr* const elements, zeek::Type* type)
 std::optional<std::vector<ValPtr>> eval_list(Frame* f, const ListExpr* l)
 	{
-	const expr_list& e = l->Exprs();
+	const ExprPList& e = l->Exprs();
 	auto rval = std::make_optional<std::vector<ValPtr>>();
 	rval->reserve(e.length());
--- a/src/Expr.h
+++ b/src/Expr.h
@ -8,7 +8,7 @@
 #include <utility>
 #include <optional>
-#include "BroList.h"
+#include "ZeekList.h"
 #include "IntrusivePtr.h"
 #include "Timer.h"
 #include "Type.h"
@ -789,7 +789,7 @@ protected:
 class LambdaExpr final : public Expr {
 public:
 	LambdaExpr(std::unique_ptr<function_ingredients> ingredients,
-		   id_list outer_ids);
+	           IDPList outer_ids);
 	ValPtr Eval(Frame* f) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
@ -802,7 +802,7 @@ protected:
 private:
 	std::unique_ptr<function_ingredients> ingredients;
-	id_list outer_ids;
+	IDPList outer_ids;
 	std::string my_name;
 };
@ -834,8 +834,8 @@ public:
 	void Append(ExprPtr e);
-	const expr_list& Exprs() const	{ return exprs; }
+	const ExprPList& Exprs() const	{ return exprs; }
-	expr_list& Exprs()		{ return exprs; }
+	ExprPList& Exprs()		{ return exprs; }
 	// True if the entire list represents pure values.
 	bool IsPure() const override;
@ -854,7 +854,7 @@ protected:
 	void ExprDescribe(ODesc* d) const override;
-	expr_list exprs;
+	ExprPList exprs;
 };
--- a/src/File.cc
+++ b/src/File.cc
@ -25,7 +25,7 @@
 #include "Type.h"
 #include "Expr.h"
 #include "NetVar.h"
-#include "Net.h"
+#include "RunState.h"
 #include "Event.h"
 #include "Reporter.h"
 #include "Desc.h"
@ -68,8 +68,8 @@ File::File(FILE* arg_f, const char* arg_name, const char* arg_access)
 	{
 	Init();
 	f = arg_f;
-	name = copy_string(arg_name);
+	name = zeek::util::copy_string(arg_name);
-	access = copy_string(arg_access);
+	access = zeek::util::copy_string(arg_access);
 	t = zeek::base_type(zeek::TYPE_STRING);
 	is_open = (f != nullptr);
 	}
@ -78,15 +78,15 @@ File::File(const char* arg_name, const char* arg_access)
 	{
 	Init();
 	f = nullptr;
-	name = copy_string(arg_name);
+	name = zeek::util::copy_string(arg_name);
-	access = copy_string(arg_access);
+	access = zeek::util::copy_string(arg_access);
 	t = zeek::base_type(zeek::TYPE_STRING);
-	if ( streq(name, "/dev/stdin") )
+	if ( zeek::util::streq(name, "/dev/stdin") )
 		f = stdin;
-	else if ( streq(name, "/dev/stdout") )
+	else if ( zeek::util::streq(name, "/dev/stdout") )
 		f = stdout;
-	else if ( streq(name, "/dev/stderr") )
+	else if ( zeek::util::streq(name, "/dev/stderr") )
 		f = stderr;
 	if ( f )
@ -119,7 +119,7 @@ const char* File::Name() const
 bool File::Open(FILE* file, const char* mode)
 	{
 	static bool fds_maximized = false;
-	open_time = network_time ? network_time : current_time();
+	open_time = zeek::run_state::network_time ? zeek::run_state::network_time : zeek::util::current_time();
 	if ( ! fds_maximized )
 		{
@ -282,7 +282,7 @@ zeek::RecordVal* File::Rotate()
 	static auto rotate_info = zeek::id::find_type<zeek::RecordType>("rotate_info");
 	auto* info = new zeek::RecordVal(rotate_info);
-	FILE* newf = rotate_file(name, info);
+	FILE* newf = zeek::util::detail::rotate_file(name, info);
 	if ( ! newf )
 		{
--- a/src/Flare.cc
+++ b/src/Flare.cc
@ -19,7 +19,7 @@ Flare::Flare()
 		abort();
 	char buf[256];
-	bro_strerror_r(errno, buf, sizeof(buf));
+	zeek::util::zeek_strerror_r(errno, buf, sizeof(buf));
 	if ( zeek::reporter )
 		zeek::reporter->FatalErrorWithCore("unexpected pipe %s failure: %s", which, buf);
--- a/src/Frag.cc
+++ b/src/Frag.cc
@ -8,6 +8,7 @@
 #include "NetVar.h"
 #include "Sessions.h"
 #include "Reporter.h"
 #include "RunState.h"
 constexpr uint32_t MIN_ACCEPTABLE_FRAG_SIZE = 64;
 constexpr uint32_t MAX_ACCEPTABLE_FRAG_SIZE = 64000;
@ -154,7 +155,7 @@ void FragReassembler::AddFragment(double t, const zeek::IP_Hdr* ip, const u_char
 	pkt += hdr_len;
 	len -= hdr_len;
-	NewBlock(network_time, offset, len, pkt);
+	NewBlock(zeek::run_state::network_time, offset, len, pkt);
 	}
 void FragReassembler::Weird(const char* name) const
@ -278,7 +279,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */)
 			{
 			zeek::reporter->InternalWarning("bad fragment reassembly");
 			DeleteTimer();
-			Expire(network_time);
+			Expire(zeek::run_state::network_time);
 			delete [] pkt_start;
 			return;
 			}
--- a/src/Frame.cc
+++ b/src/Frame.cc
@ -213,14 +213,14 @@ void Frame::CloneNonFuncElement(int offset, ScriptFunc* func, Frame* other) cons
 	other->SetElement(offset, std::move(rval));
 	}
-Frame* Frame::SelectiveClone(const id_list& selection, ScriptFunc* func) const
+Frame* Frame::SelectiveClone(const IDPList& selection, ScriptFunc* func) const
 	{
 	if ( selection.length() == 0 )
 		return nullptr;
-	id_list us;
+	IDPList us;
 	// and
-	id_list them;
+	IDPList them;
 	for ( const auto& we : selection )
 		{
@ -279,16 +279,16 @@ Frame* Frame::SelectiveClone(const id_list& selection, ScriptFunc* func) const
 	return other;
 	}
-broker::expected<broker::data> Frame::Serialize(const Frame* target, const id_list& selection)
+broker::expected<broker::data> Frame::Serialize(const Frame* target, const IDPList& selection)
 	{
 	broker::vector rval;
 	if ( selection.length() == 0 )
 		return {std::move(rval)};
-	id_list us;
+	IDPList us;
 	// and
-	id_list them;
+	IDPList them;
 	std::unordered_map<std::string, int> new_map;
 	if ( target->offset_map )
@ -350,7 +350,7 @@ broker::expected<broker::data> Frame::Serialize(const Frame* target, const id_li
 		zeek::TypeTag tag = val->GetType()->Tag();
-		auto expected = bro_broker::val_to_data(val.get());
+		auto expected = zeek::Broker::detail::val_to_data(val.get());
 		if ( ! expected )
 			return broker::ec::invalid_data;
@ -368,7 +368,7 @@ std::pair<bool, FramePtr> Frame::Unserialize(const broker::vector& data)
 	if ( data.size() == 0 )
 		return std::make_pair(true, nullptr);
-	id_list outer_ids;
+	IDPList outer_ids;
 	OffsetMap offset_map;
 	FramePtr closure;
@ -477,7 +477,7 @@ std::pair<bool, FramePtr> Frame::Unserialize(const broker::vector& data)
 		broker::integer g = *has_type;
 		zeek::Type t( static_cast<zeek::TypeTag>(g) );
-		auto val = bro_broker::data_to_val(std::move(val_tuple[0]), &t);
+		auto val = zeek::Broker::detail::data_to_val(std::move(val_tuple[0]), &t);
 		if ( ! val )
 			return std::make_pair(false, nullptr);
@ -487,7 +487,7 @@ std::pair<bool, FramePtr> Frame::Unserialize(const broker::vector& data)
 	return std::make_pair(true, std::move(rf));
 	}
-void Frame::AddKnownOffsets(const id_list& ids)
+void Frame::AddKnownOffsets(const IDPList& ids)
 	{
 	if ( ! offset_map )
 		offset_map = std::make_unique<OffsetMap>();
@ -499,7 +499,7 @@ void Frame::AddKnownOffsets(const id_list& ids)
 		       });
 	}
-void Frame::CaptureClosure(Frame* c, id_list arg_outer_ids)
+void Frame::CaptureClosure(Frame* c, IDPList arg_outer_ids)
 	{
 	if ( closure || outer_ids.length() )
 		zeek::reporter->InternalError("Attempted to override a closure.");
@ -544,7 +544,7 @@ bool Frame::IsOuterID(const zeek::detail::ID* in) const
 		[&in](zeek::detail::ID* id)-> bool { return strcmp(id->Name(), in->Name()) == 0; });
 	}
-broker::expected<broker::data> Frame::SerializeIDList(const id_list& in)
+broker::expected<broker::data> Frame::SerializeIDList(const IDPList& in)
 	{
 	broker::vector rval;
@ -571,10 +571,10 @@ Frame::SerializeOffsetMap(const std::unordered_map<std::string, int>& in)
 	return {std::move(rval)};
 	}
-std::pair<bool, id_list>
+std::pair<bool, IDPList>
 Frame::UnserializeIDList(const broker::vector& data)
 	{
-	id_list rval;
+	IDPList rval;
 	if ( data.size() % 2 != 0 )
 		return std::make_pair(false, std::move(rval));
@ -587,7 +587,7 @@ Frame::UnserializeIDList(const broker::vector& data)
 			for ( auto& i : rval )
 				Unref(i);
-			rval = id_list{};
+			rval = IDPList{};
 			return std::make_pair(false, std::move(rval));
 			}
@ -599,7 +599,7 @@ Frame::UnserializeIDList(const broker::vector& data)
 			for ( auto& i : rval )
 				Unref(i);
-			rval = id_list{};
+			rval = IDPList{};
 			return std::make_pair(false, std::move(rval));
 			}
--- a/src/Frame.h
+++ b/src/Frame.h
@ -2,7 +2,7 @@
 #pragma once
-#include "BroList.h" // for typedef val_list
+#include "ZeekList.h" // for typedef val_list
 #include "Obj.h"
 #include "IntrusivePtr.h"
 #include "ZeekArgs.h"
@ -175,7 +175,7 @@ public:
 	 * *selection* have been cloned. All other values are made to be
 	 * null.
 	 */
-	Frame* SelectiveClone(const id_list& selection, ScriptFunc* func) const;
+	Frame* SelectiveClone(const IDPList& selection, ScriptFunc* func) const;
 	/**
 	 * Serializes the Frame into a Broker representation.
@ -200,7 +200,7 @@ public:
 	 * @return the broker representaton, or an error if the serialization
 	 * failed.
 	 */
-	static broker::expected<broker::data> Serialize(const Frame* target, const id_list& selection);
+	static broker::expected<broker::data> Serialize(const Frame* target, const IDPList& selection);
 	/**
 	 * Instantiates a Frame from a serialized one.
@ -218,7 +218,7 @@ public:
 	 *
 	 * @param ids the ids that the frame will intake.
 	 */
-	void AddKnownOffsets(const id_list& ids);
+	void AddKnownOffsets(const IDPList& ids);
 	/**
 	 * Captures *c* as this frame's closure and Refs all of the values
@ -226,7 +226,7 @@ public:
 	 * the frame will unref it upon deconstruction. When calling this,
 	 * the frame's closure must not have been set yet.
 	 */
-	void CaptureClosure(Frame* c, id_list outer_ids);
+	void CaptureClosure(Frame* c, IDPList outer_ids);
 	// If the frame is run in the context of a trigger condition evaluation,
 	// the trigger needs to be registered.
@ -293,16 +293,16 @@ private:
 	static broker::expected<broker::data>
 	SerializeOffsetMap(const OffsetMap& in);
-	/** Serializes an id_list */
+	/** Serializes an IDPList */
 	static broker::expected<broker::data>
-	SerializeIDList(const id_list& in);
+	SerializeIDList(const IDPList& in);
 	/** Unserializes an offset map. */
 	static std::pair<bool, std::unordered_map<std::string, int>>
 	UnserializeOffsetMap(const broker::vector& data);
-	/** Unserializes an id_list. */
+	/** Unserializes an IDPList. */
-	static std::pair<bool, id_list>
+	static std::pair<bool, IDPList>
 	UnserializeIDList(const broker::vector& data);
 	/** The number of vals that can be stored in this frame. */
@ -320,7 +320,7 @@ private:
 	Frame* closure;
 	/** ID's used in this frame from the enclosing frame. */
-	id_list outer_ids;
+	IDPList outer_ids;
 	/**
 	 * Maps ID names to offsets. Used if this frame is  serialized
--- a/src/Func.cc
+++ b/src/Func.cc
@ -39,7 +39,7 @@
 #include "Expr.h"
 #include "Stmt.h"
 #include "Scope.h"
-#include "Net.h"
+#include "RunState.h"
 #include "NetVar.h"
 #include "File.h"
 #include "Frame.h"
@ -108,12 +108,12 @@ std::string render_call_stack()
 			arg_desc += d.Description();
 			}
-		rval += fmt("#%d %s(%s)", lvl, name, arg_desc.data());
+		rval += zeek::util::fmt("#%d %s(%s)", lvl, name, arg_desc.data());
 		if ( ci.call )
 			{
 			auto loc = ci.call->GetLocationInfo();
-			rval += fmt(" at %s:%d", loc->filename, loc->first_line);
+			rval += zeek::util::fmt(" at %s:%d", loc->filename, loc->first_line);
 			}
 		++lvl;
@ -286,7 +286,7 @@ void Func::CheckPluginResult(bool handled, const zeek::ValPtr& hook_result,
 	}
 	}
-zeek::Val* Func::Call(val_list* args, zeek::detail::Frame* parent) const
+zeek::Val* Func::Call(ValPList* args, zeek::detail::Frame* parent) const
 	{
 	auto zargs = zeek::val_list_to_args(*args);
 	return Invoke(&zargs, parent).release();
@ -375,7 +375,7 @@ zeek::ValPtr ScriptFunc::Invoke(zeek::Args* args, zeek::detail::Frame* parent) c
 			GetType()->FlavorString().c_str(), d.Description());
 		}
-	stmt_flow_type flow = FLOW_NEXT;
+	StmtFlowType flow = FLOW_NEXT;
 	zeek::ValPtr result;
 	for ( const auto& body : bodies )
@ -498,7 +498,7 @@ void ScriptFunc::AddBody(zeek::detail::StmtPtr new_body,
 	sort(bodies.begin(), bodies.end());
 	}
-void ScriptFunc::AddClosure(id_list ids, zeek::detail::Frame* f)
+void ScriptFunc::AddClosure(IDPList ids, zeek::detail::Frame* f)
 	{
 	if ( ! f )
 		return;
@ -689,7 +689,7 @@ bool check_built_in_call(BuiltinFunc* f, zeek::detail::CallExpr* call)
 	if ( f->TheFunc() != zeek::BifFunc::fmt_bif)
 		return true;
-	const expr_list& args = call->Args()->Exprs();
+	const ExprPList& args = call->Args()->Exprs();
 	if ( args.length() == 0 )
 		{
 		// Empty calls are allowed, since you can't just
@ -700,7 +700,7 @@ bool check_built_in_call(BuiltinFunc* f, zeek::detail::CallExpr* call)
 	const zeek::detail::Expr* fmt_str_arg = args[0];
 	if ( fmt_str_arg->GetType()->Tag() != zeek::TYPE_STRING )
 		{
-		call->Error("first argument to fmt() needs to be a format string");
+		call->Error("first argument to zeek::util::fmt() needs to be a format string");
 		return false;
 		}
@ -729,7 +729,7 @@ bool check_built_in_call(BuiltinFunc* f, zeek::detail::CallExpr* call)
 		if ( args.length() != num_fmt + 1 )
 			{
-			call->Error("mismatch between format string to fmt() and number of arguments passed");
+			call->Error("mismatch between format string to zeek::util::fmt() and number of arguments passed");
 			return false;
 			}
 		}
--- a/src/Func.h
+++ b/src/Func.h
@ -9,7 +9,7 @@
 #include <tuple>
 #include <type_traits>
-#include "BroList.h"
+#include "ZeekList.h"
 #include "Obj.h"
 #include "IntrusivePtr.h"
 #include "Type.h" /* for function_flavor */
@ -72,7 +72,7 @@ public:
 	bool HasBodies() const	{ return bodies.size(); }
 	[[deprecated("Remove in v4.1. Use Invoke() instead.")]]
-	zeek::Val* Call(val_list* args, zeek::detail::Frame* parent = nullptr) const;
+	zeek::Val* Call(ValPList* args, zeek::detail::Frame* parent = nullptr) const;
 	/**
 	 * Calls a Zeek function.
@ -165,7 +165,7 @@ public:
 	 * @param ids IDs that are captured by the closure.
 	 * @param f the closure to be captured.
 	 */
-	void AddClosure(id_list ids, zeek::detail::Frame* f);
+	void AddClosure(IDPList ids, zeek::detail::Frame* f);
 	/**
 	 * Replaces the current closure with one built from *data*
@ -192,7 +192,7 @@ public:
 	             size_t new_frame_size, int priority) override;
 	/** Sets this function's outer_id list. */
-	void SetOuterIDs(id_list ids)
+	void SetOuterIDs(IDPList ids)
 		{ outer_ids = std::move(ids); }
 	void Describe(ODesc* d) const override;
@ -220,7 +220,7 @@ private:
 	size_t frame_size;
 	// List of the outer IDs used in the function.
-	id_list outer_ids;
+	IDPList outer_ids;
 	// The frame the ScriptFunc was initialized in.
 	zeek::detail::Frame* closure = nullptr;
 	bool weak_closure_ref = false;
--- a/src/Hash.h
+++ b/src/Hash.h
@ -199,7 +199,7 @@ private:
 	inline static uint8_t shared_hmac_md5_key[16];
 	inline static bool seeds_initialized = false;
-	friend void ::hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16]);
+	friend void zeek::util::detail::hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16]);
 	friend BifReturnVal zeek::BifFunc::md5_hmac_bif(zeek::detail::Frame* frame, const zeek::Args*);
 };
@ -258,7 +258,7 @@ public:
 	int Size() const	{ return size; }
 	hash_t Hash() const	{ return hash; }
-	unsigned int MemoryAllocation() const	{ return padded_sizeof(*this) + pad_size(size); }
+	unsigned int MemoryAllocation() const	{ return padded_sizeof(*this) + zeek::util::pad_size(size); }
 	static hash_t HashBytes(const void* bytes, int size);
 protected:
--- a/src/ID.cc
+++ b/src/ID.cc
@ -107,7 +107,7 @@ namespace zeek::detail {
 ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
 	{
-	name = copy_string(arg_name);
+	name = zeek::util::copy_string(arg_name);
 	scope = arg_scope;
 	is_export = arg_is_export;
 	is_option = false;
@ -222,8 +222,8 @@ void ID::SetVal(ExprPtr ev, InitClass c)
 	if ( ! val )
 		{
-		Error(fmt("%s initializer applied to ID without value",
+		Error(zeek::util::fmt("%s initializer applied to ID without value",
-		          c == INIT_EXTRA ? "+=" : "-="), this);
+		                      c == INIT_EXTRA ? "+=" : "-="), this);
 		return;
 		}
@ -309,9 +309,9 @@ std::string ID::GetDeprecationWarning() const
 		result = depr_attr->DeprecationMessage();
 	if ( result.empty() )
-		return fmt("deprecated (%s)", Name());
+		return zeek::util::fmt("deprecated (%s)", Name());
 	else
-		return fmt("deprecated (%s): %s", Name(), result.c_str());
+		return zeek::util::fmt("deprecated (%s): %s", Name(), result.c_str());
 	}
 void ID::AddAttrs(AttributesPtr a)
@ -614,10 +614,10 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const
 			ODesc expr_desc;
 			ir->init_expr->Describe(&expr_desc);
 			redef_str = expr_desc.Description();
-			redef_str = strreplace(redef_str, "\n", " ");
+			redef_str = zeek::util::strreplace(redef_str, "\n", " ");
 			d->Add(":Redefinition: ");
-			d->Add(fmt("from :doc:`/scripts/%s`", ir->from_script.data()));
+			d->Add(zeek::util::fmt("from :doc:`/scripts/%s`", ir->from_script.data()));
 			d->NL();
 			d->PushIndent();
--- a/src/ID.h
+++ b/src/ID.h
@ -45,7 +45,7 @@ enum IDScope { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL };
 class ID;
 using IDPtr = zeek::IntrusivePtr<ID>;
-class ID final : public Obj, public notifier::Modifiable {
+class ID final : public Obj, public zeek::notifier::detail::Modifiable {
 public:
 	static inline const IDPtr nil;
--- a/src/IP.cc
+++ b/src/IP.cc
@ -284,7 +284,7 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
 			}
 		default:
-			zeek::reporter->Weird("unknown_mobility_type", fmt("%d", mob->ip6mob_type));
+			zeek::reporter->Weird("unknown_mobility_type", zeek::util::fmt("%d", mob->ip6mob_type));
 			break;
 		}
@ -632,7 +632,7 @@ void IPv6_Hdr_Chain::ProcessRoutingHeader(const struct ip6_rthdr* r, uint16_t le
 	default:
 		zeek::reporter->Weird(SrcAddr(), DstAddr(), "unknown_routing_type",
-		                      fmt("%d", r->ip6r_type));
+		                      zeek::util::fmt("%d", r->ip6r_type));
 		break;
 	}
 	}
--- a/src/IntrusivePtr.h
+++ b/src/IntrusivePtr.h
@ -198,7 +198,7 @@ IntrusivePtr<T> cast_intrusive(IntrusivePtr<U> p) noexcept
 	return {zeek::AdoptRef{}, static_cast<T*>(p.release())};
 	}
-}
+} // namespace zeek
 // -- comparison to nullptr ----------------------------------------------------
--- a/src/List.h
+++ b/src/List.h
@ -51,7 +51,7 @@ public:
 		max_entries = size;
-		entries = (T*) safe_malloc(max_entries * sizeof(T));
+		entries = (T*) zeek::util::safe_malloc(max_entries * sizeof(T));
 		}
 	List(const List& b)
@ -60,7 +60,7 @@ public:
 		num_entries = b.num_entries;
 		if ( max_entries )
-			entries = (T*) safe_malloc(max_entries * sizeof(T));
+			entries = (T*) zeek::util::safe_malloc(max_entries * sizeof(T));
 		else
 			entries = nullptr;
@ -81,7 +81,7 @@ public:
 	List(const T* arr, int n)
 		{
 		num_entries = max_entries = n;
-		entries = (T*) safe_malloc(max_entries * sizeof(T));
+		entries = (T*) zeek::util::safe_malloc(max_entries * sizeof(T));
 		memcpy(entries, arr, n * sizeof(T));
 		}
@ -98,7 +98,7 @@ public:
 		num_entries = b.num_entries;
 		if ( max_entries )
-			entries = (T *) safe_malloc(max_entries * sizeof(T));
+			entries = (T *) zeek::util::safe_malloc(max_entries * sizeof(T));
 		else
 			entries = nullptr;
@ -148,7 +148,7 @@ public:
 		if ( new_size != max_entries )
 			{
-			entries = (T*) safe_realloc((void*) entries, sizeof(T) * new_size);
+			entries = (T*) zeek::util::safe_realloc((void*) entries, sizeof(T) * new_size);
 			if ( entries )
 				max_entries = new_size;
 			else
@ -159,7 +159,7 @@ public:
 		}
 	int MemoryAllocation() const
-		{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(T)); }
+		{ return padded_sizeof(*this) + zeek::util::pad_size(max_entries * sizeof(T)); }
 	void push_front(const T& a)
 		{
--- a/src/Net.h
+++ b/src/Net.h
@ -1,111 +1,4 @@
-// See the file "COPYING" in the main distribution directory for copyright.
+#warning "Net.h is deprecated and will be removed in v4.1. Use RunState.h and/or ScannedFile.h instead."
-#pragma once
+#include "RunState.h"
-
+#include "ScannedFile.h"
 #include "zeek-config.h"
 #include <sys/stat.h> // for ino_t
 #include <list>
 #include <vector>
 #include <string>
 #include <optional>
 namespace iosource {
 	class IOSource;
 	class PktSrc;
 	class PktDumper;
 	}
 ZEEK_FORWARD_DECLARE_NAMESPACED(Packet, zeek);
 extern void net_init(const std::optional<std::string>& interfaces,
                     const std::optional<std::string>& pcap_input_file,
                     const std::optional<std::string>& pcap_output_file,
                     bool do_watchdog);
 extern void net_run();
 extern void net_get_final_stats();
 extern void net_finish(int drain_events);
 extern void net_delete();	// Reclaim all memory, etc.
 extern void net_update_time(double new_network_time);
 extern void net_packet_dispatch(double t, const zeek::Packet* pkt,
 			iosource::PktSrc* src_ps);
 extern void expire_timers(iosource::PktSrc* src_ps = nullptr);
 extern void zeek_terminate_loop(const char* reason);
 // Functions to temporarily suspend processing of live input (network packets
 // and remote events/state). Turning this is on is sure to lead to data loss!
 extern void net_suspend_processing();
 extern void net_continue_processing();
 extern int _processing_suspended;	// don't access directly.
 inline bool net_is_processing_suspended()
 	{ return _processing_suspended > 0; }
 // Whether we're reading live traffic.
 extern bool reading_live;
 // Same but for reading from traces instead.  We have two separate
 // variables because it's possible that neither is true, and we're
 // instead just running timers (per the variable after this one).
 extern bool reading_traces;
 // True if we have timers scheduled for the future on which we need
 // to wait.  "Need to wait" here means that we're running live (though
 // perhaps not reading_live, but just running in real-time) as opposed
 // to reading a trace (in which case we don't want to wait in real-time
 // on future timers).
 extern bool have_pending_timers;
 // If > 0, we are reading from traces but trying to mimic real-time behavior.
 // (In this case, both reading_traces and reading_live are true.)  The value
 // is the speedup (1 = real-time, 0.5 = half real-time, etc.).
 extern double pseudo_realtime;
 // When we started processing the current packet and corresponding event
 // queue.
 extern double processing_start_time;
 // When the Bro process was started.
 extern double bro_start_time;
 // Time at which the Bro process was started with respect to network time,
 // i.e. the timestamp of the first packet.
 extern double bro_start_network_time;
 // True if we're a in the process of cleaning-up just before termination.
 extern bool terminating;
 // True if Bro is currently parsing scripts.
 extern bool is_parsing;
 extern const zeek::Packet* current_pkt;
 extern int current_dispatched;
 extern double current_timestamp;
 extern iosource::PktSrc* current_pktsrc;
 extern iosource::IOSource* current_iosrc;
 extern iosource::PktDumper* pkt_dumper;	// where to save packets
 // Script file we have already scanned (or are in the process of scanning).
 // They are identified by normalized realpath.
 struct ScannedFile {
 	int include_level;
 	bool skipped;		// This ScannedFile was @unload'd.
 	bool prefixes_checked;	// If loading prefixes for this file has been tried.
 	std::string name;
 	std::string canonical_path; // normalized, absolute path via realpath()
 	ScannedFile(int arg_include_level,
 	            std::string arg_name, bool arg_skipped = false,
 	            bool arg_prefixes_checked = false);
 	/**
 	 * Compares the canonical path of this file against every canonical path
 	 * in files_scanned and returns whether there's any match.
 	 */
 	bool AlreadyScanned() const;
 };
 extern std::list<ScannedFile> files_scanned;
 extern std::vector<std::string> sig_files;
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -30,6 +30,84 @@ zeek::VectorType* index_vec;
 zeek::VectorType* mime_matches;
 zeek::RecordType* mime_match;
 zeek::RecordType* socks_address;
 zeek::TableVal* tcp_reassembler_ports_orig;
 zeek::TableVal* tcp_reassembler_ports_resp;
 zeek::TableVal* tcp_content_delivery_ports_orig;
 zeek::TableVal* tcp_content_delivery_ports_resp;
 zeek::TableVal* udp_content_delivery_ports_orig;
 zeek::TableVal* udp_content_delivery_ports_resp;
 zeek::TableVal* udp_content_ports;
 zeek::RecordType* mime_header_rec;
 zeek::TableType* mime_header_list;
 zeek::RecordType* http_stats_rec;
 zeek::RecordType* http_message_stat;
 zeek::RecordType* pm_mapping;
 zeek::TableType* pm_mappings;
 zeek::RecordType* pm_port_request;
 zeek::RecordType* pm_callit_request;
 zeek::RecordType* geo_location;
 zeek::RecordType* entropy_test_result;
 zeek::RecordType* dns_msg;
 zeek::RecordType* dns_answer;
 zeek::RecordType* dns_soa;
 zeek::RecordType* dns_edns_additional;
 zeek::RecordType* dns_edns_ecs;
 zeek::RecordType* dns_tsig_additional;
 zeek::RecordType* dns_rrsig_rr;
 zeek::RecordType* dns_dnskey_rr;
 zeek::RecordType* dns_nsec3_rr;
 zeek::RecordType* dns_ds_rr;
 zeek::TableVal* dns_skip_auth;
 zeek::TableVal* dns_skip_addl;
 zeek::TableVal* stp_skip_src;
 zeek::TableVal* preserve_orig_addr;
 zeek::TableVal* preserve_resp_addr;
 zeek::TableVal* preserve_other_addr;
 zeek::RecordType* rotate_info;
 zeek::StringVal* log_rotate_base_time;
 zeek::StringVal* peer_description;
 zeek::Val* profiling_file;
 zeek::Val* pkt_profile_file;
 zeek::TableType* irc_join_list;
 zeek::RecordType* irc_join_info;
 zeek::TableVal* likely_server_ports;
 zeek::StringVal* trace_output_file;
 zeek::RecordType* script_id;
 zeek::TableType* id_table;
 zeek::RecordType* record_field;
 zeek::TableType* record_field_table;
 zeek::RecordType* call_argument;
 zeek::VectorType* call_argument_vector;
 zeek::StringVal* cmd_line_bpf_filter;
 zeek::StringVal* global_hash_seed;
 // Because of how the BIF include files are built with namespaces already in them,
 // these files need to be included separately before the namespace is opened below.
 namespace zeek::detail {
 int watchdog_interval;
 int max_timer_expires;
@ -56,8 +134,6 @@ int tcp_max_above_hole_without_any_acks;
 int tcp_excessive_data_without_further_acks;
 int tcp_max_old_segments;
 zeek::RecordType* socks_address;
 double non_analyzed_lifetime;
 double tcp_inactivity_timeout;
 double udp_inactivity_timeout;
@ -66,17 +142,8 @@ double icmp_inactivity_timeout;
 int tcp_storm_thresh;
 double tcp_storm_interarrival_thresh;
 zeek::TableVal* tcp_reassembler_ports_orig;
 zeek::TableVal* tcp_reassembler_ports_resp;
 zeek::TableVal* tcp_content_delivery_ports_orig;
 zeek::TableVal* tcp_content_delivery_ports_resp;
 bool tcp_content_deliver_all_orig;
 bool tcp_content_deliver_all_resp;
 zeek::TableVal* udp_content_delivery_ports_orig;
 zeek::TableVal* udp_content_delivery_ports_resp;
 zeek::TableVal* udp_content_ports;
 bool udp_content_deliver_all_orig;
 bool udp_content_deliver_all_resp;
 bool udp_content_delivery_ports_use_resp;
@ -86,42 +153,15 @@ double rpc_timeout;
 int mime_segment_length;
 int mime_segment_overlap_length;
 zeek::RecordType* mime_header_rec;
 zeek::TableType* mime_header_list;
 int http_entity_data_delivery_size;
 zeek::RecordType* http_stats_rec;
 zeek::RecordType* http_message_stat;
 int truncate_http_URI;
 zeek::RecordType* pm_mapping;
 zeek::TableType* pm_mappings;
 zeek::RecordType* pm_port_request;
 zeek::RecordType* pm_callit_request;
 zeek::RecordType* geo_location;
 zeek::RecordType* entropy_test_result;
 zeek::RecordType* dns_msg;
 zeek::RecordType* dns_answer;
 zeek::RecordType* dns_soa;
 zeek::RecordType* dns_edns_additional;
 zeek::RecordType* dns_edns_ecs;
 zeek::RecordType* dns_tsig_additional;
 zeek::RecordType* dns_rrsig_rr;
 zeek::RecordType* dns_dnskey_rr;
 zeek::RecordType* dns_nsec3_rr;
 zeek::RecordType* dns_ds_rr;
 zeek::TableVal* dns_skip_auth;
 zeek::TableVal* dns_skip_addl;
 int dns_skip_all_auth;
 int dns_skip_all_addl;
 int dns_max_queries;
 double stp_delta;
 double stp_idle_min;
 zeek::TableVal* stp_skip_src;
 double table_expire_interval;
 double table_expire_delay;
@ -131,22 +171,12 @@ double connection_status_update_interval;
 int orig_addr_anonymization, resp_addr_anonymization;
 int other_addr_anonymization;
 zeek::TableVal* preserve_orig_addr;
 zeek::TableVal* preserve_resp_addr;
 zeek::TableVal* preserve_other_addr;
 zeek::RecordType* rotate_info;
 zeek::StringVal* log_rotate_base_time;
 zeek::StringVal* peer_description;
 zeek::Val* profiling_file;
 double profiling_interval;
 int expensive_profiling_multiple;
 int segment_profiling;
 int pkt_profile_mode;
 double pkt_profile_freq;
 zeek::Val* pkt_profile_file;
 int load_sample_freq;
@ -154,47 +184,47 @@ int packet_filter_default;
 int sig_max_group_size;
 zeek::TableType* irc_join_list;
 zeek::RecordType* irc_join_info;
 int dpd_reassemble_first_packets;
 int dpd_buffer_size;
 int dpd_match_only_beginning;
 int dpd_late_match_stop;
 int dpd_ignore_ports;
 zeek::TableVal* likely_server_ports;
 int check_for_unused_event_handlers;
 double timer_mgr_inactivity_timeout;
 zeek::StringVal* trace_output_file;
 int record_all_packets;
 zeek::RecordType* script_id;
 zeek::TableType* id_table;
 zeek::RecordType* record_field;
 zeek::TableType* record_field_table;
 zeek::RecordType* call_argument;
 zeek::VectorType* call_argument_vector;
 zeek::StringVal* cmd_line_bpf_filter;
 zeek::StringVal* global_hash_seed;
 bro_uint_t bits_per_uid;
 } // namespace zeek::detail. The namespace has be closed here before we include the netvar_def files.
 static void bif_init_event_handlers()
 	{
 #include "event.bif.netvar_init"
 	}
 static void bif_init_net_var()
 	{
 #include "const.bif.netvar_init"
 #include "types.bif.netvar_init"
 #include "reporter.bif.netvar_init"
 #include "supervisor.bif.netvar_init"
 	}
 #include "const.bif.netvar_def"
 #include "types.bif.netvar_def"
 #include "event.bif.netvar_def"
 #include "reporter.bif.netvar_def"
 #include "supervisor.bif.netvar_def"
 // Re-open the namespace now that the bif headers are all included.
 namespace zeek::detail {
 void init_event_handlers()
 	{
-#include "event.bif.netvar_init"
+	bif_init_event_handlers();
 	}
 void init_general_global_var()
@ -213,10 +243,7 @@ extern void zeek_legacy_netvar_init();
 void init_net_var()
 	{
-#include "const.bif.netvar_init"
+	bif_init_net_var();
 #include "types.bif.netvar_init"
 #include "reporter.bif.netvar_init"
 #include "supervisor.bif.netvar_init"
 	zeek::id::detail::init();
 	zeek_legacy_netvar_init();
@ -320,3 +347,72 @@ void init_net_var()
 	timer_mgr_inactivity_timeout = zeek::id::find_val("timer_mgr_inactivity_timeout")->AsInterval();
 	}
 } // namespace zeek::detail
 // Remove in v4.1.
 int& watchdog_interval = zeek::detail::watchdog_interval;
 int& max_timer_expires = zeek::detail::max_timer_expires;
 int& ignore_checksums = zeek::detail::ignore_checksums;
 int& partial_connection_ok = zeek::detail::partial_connection_ok;
 int& tcp_SYN_ack_ok = zeek::detail::tcp_SYN_ack_ok;
 int& tcp_match_undelivered = zeek::detail::tcp_match_undelivered;
 int& encap_hdr_size = zeek::detail::encap_hdr_size;
 double& frag_timeout = zeek::detail::frag_timeout;
 double& tcp_SYN_timeout = zeek::detail::tcp_SYN_timeout;
 double& tcp_session_timer = zeek::detail::tcp_session_timer;
 double& tcp_connection_linger = zeek::detail::tcp_connection_linger;
 double& tcp_attempt_delay = zeek::detail::tcp_attempt_delay;
 double& tcp_close_delay = zeek::detail::tcp_close_delay;
 double& tcp_partial_close_delay = zeek::detail::tcp_partial_close_delay;
 double& tcp_reset_delay = zeek::detail::tcp_reset_delay;
 int& tcp_max_initial_window = zeek::detail::tcp_max_initial_window;
 int& tcp_max_above_hole_without_any_acks = zeek::detail::tcp_max_above_hole_without_any_acks;
 int& tcp_excessive_data_without_further_acks = zeek::detail::tcp_excessive_data_without_further_acks;
 int& tcp_max_old_segments = zeek::detail::tcp_max_old_segments;
 double& non_analyzed_lifetime = zeek::detail::non_analyzed_lifetime;
 double& tcp_inactivity_timeout = zeek::detail::tcp_inactivity_timeout;
 double& udp_inactivity_timeout = zeek::detail::udp_inactivity_timeout;
 double& icmp_inactivity_timeout = zeek::detail::icmp_inactivity_timeout;
 int& tcp_storm_thresh = zeek::detail::tcp_storm_thresh;
 double& tcp_storm_interarrival_thresh = zeek::detail::tcp_storm_interarrival_thresh;
 bool& tcp_content_deliver_all_orig = zeek::detail::tcp_content_deliver_all_orig;
 bool& tcp_content_deliver_all_resp = zeek::detail::tcp_content_deliver_all_resp;
 bool& udp_content_deliver_all_orig = zeek::detail::udp_content_deliver_all_orig;
 bool& udp_content_deliver_all_resp = zeek::detail::udp_content_deliver_all_resp;
 bool& udp_content_delivery_ports_use_resp = zeek::detail::udp_content_delivery_ports_use_resp;
 double& dns_session_timeout = zeek::detail::dns_session_timeout;
 double& rpc_timeout = zeek::detail::rpc_timeout;
 int& mime_segment_length = zeek::detail::mime_segment_length;
 int& mime_segment_overlap_length = zeek::detail::mime_segment_overlap_length;
 int& http_entity_data_delivery_size = zeek::detail::http_entity_data_delivery_size;
 int& truncate_http_URI = zeek::detail::truncate_http_URI;
 int& dns_skip_all_auth = zeek::detail::dns_skip_all_auth;
 int& dns_skip_all_addl = zeek::detail::dns_skip_all_addl;
 int& dns_max_queries = zeek::detail::dns_max_queries;
 double& stp_delta = zeek::detail::stp_delta;
 double& stp_idle_min = zeek::detail::stp_idle_min;
 double& table_expire_interval = zeek::detail::table_expire_interval;
 double& table_expire_delay = zeek::detail::table_expire_delay;
 int& table_incremental_step = zeek::detail::table_incremental_step;
 int& orig_addr_anonymization = zeek::detail::orig_addr_anonymization;
 int& resp_addr_anonymization = zeek::detail::resp_addr_anonymization;
 int& other_addr_anonymization = zeek::detail::other_addr_anonymization;
 double& connection_status_update_interval = zeek::detail::connection_status_update_interval;
 double& profiling_interval = zeek::detail::profiling_interval;
 int& expensive_profiling_multiple = zeek::detail::expensive_profiling_multiple;
 int& segment_profiling = zeek::detail::segment_profiling;
 int& pkt_profile_mode = zeek::detail::pkt_profile_mode;
 double& pkt_profile_freq = zeek::detail::pkt_profile_freq;
 int& load_sample_freq = zeek::detail::load_sample_freq;
 int& packet_filter_default = zeek::detail::packet_filter_default;
 int& sig_max_group_size = zeek::detail::sig_max_group_size;
 int& dpd_reassemble_first_packets = zeek::detail::dpd_reassemble_first_packets;
 int& dpd_buffer_size = zeek::detail::dpd_buffer_size;
 int& dpd_match_only_beginning = zeek::detail::dpd_match_only_beginning;
 int& dpd_late_match_stop = zeek::detail::dpd_late_match_stop;
 int& dpd_ignore_ports = zeek::detail::dpd_ignore_ports;
 int& check_for_unused_event_handlers = zeek::detail::check_for_unused_event_handlers;
 double& timer_mgr_inactivity_timeout = zeek::detail::timer_mgr_inactivity_timeout;
 int& record_all_packets = zeek::detail::record_all_packets;
 bro_uint_t& bits_per_uid = zeek::detail::bits_per_uid;
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -6,6 +6,176 @@
 #include "EventRegistry.h"
 #include "Stats.h"
 namespace zeek::detail {
 extern int watchdog_interval;
 extern int max_timer_expires;
 extern int ignore_checksums;
 extern int partial_connection_ok;
 extern int tcp_SYN_ack_ok;
 extern int tcp_match_undelivered;
 extern int encap_hdr_size;
 extern double frag_timeout;
 extern double tcp_SYN_timeout;
 extern double tcp_session_timer;
 extern double tcp_connection_linger;
 extern double tcp_attempt_delay;
 extern double tcp_close_delay;
 extern double tcp_partial_close_delay;
 extern double tcp_reset_delay;
 extern int tcp_max_initial_window;
 extern int tcp_max_above_hole_without_any_acks;
 extern int tcp_excessive_data_without_further_acks;
 extern int tcp_max_old_segments;
 extern double non_analyzed_lifetime;
 extern double tcp_inactivity_timeout;
 extern double udp_inactivity_timeout;
 extern double icmp_inactivity_timeout;
 extern int tcp_storm_thresh;
 extern double tcp_storm_interarrival_thresh;
 extern bool tcp_content_deliver_all_orig;
 extern bool tcp_content_deliver_all_resp;
 extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
 extern bool udp_content_delivery_ports_use_resp;
 extern double dns_session_timeout;
 extern double rpc_timeout;
 extern int mime_segment_length;
 extern int mime_segment_overlap_length;
 extern int http_entity_data_delivery_size;
 extern int truncate_http_URI;
 extern int dns_skip_all_auth;
 extern int dns_skip_all_addl;
 extern int dns_max_queries;
 extern double stp_delta;
 extern double stp_idle_min;
 extern double table_expire_interval;
 extern double table_expire_delay;
 extern int table_incremental_step;
 extern int orig_addr_anonymization, resp_addr_anonymization;
 extern int other_addr_anonymization;
 extern double connection_status_update_interval;
 extern double profiling_interval;
 extern int expensive_profiling_multiple;
 extern int segment_profiling;
 extern int pkt_profile_mode;
 extern double pkt_profile_freq;
 extern int load_sample_freq;
 extern int packet_filter_default;
 extern int sig_max_group_size;
 extern int dpd_reassemble_first_packets;
 extern int dpd_buffer_size;
 extern int dpd_match_only_beginning;
 extern int dpd_late_match_stop;
 extern int dpd_ignore_ports;
 extern int check_for_unused_event_handlers;
 extern double timer_mgr_inactivity_timeout;
 extern int record_all_packets;
 extern bro_uint_t bits_per_uid;
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();
 extern void init_event_handlers();
 extern void init_net_var();
 } // namespace zeek::detail
 constexpr auto init_general_global_var [[deprecated("Remove in v4.1. Use zeek::detail::init_general_global_var.")]] = zeek::detail::init_general_global_var;
 constexpr auto init_event_handlers [[deprecated("Remove in v4.1. Use zeek::detail::init_event_handlers.")]] = zeek::detail::init_event_handlers;
 constexpr auto init_net_var [[deprecated("Remove in v4.1. Use zeek::detail::init_net_var.")]] = zeek::detail::init_net_var;
 extern int& watchdog_interval [[deprecated("Remove in v4.1. Use zeek::detail::watchdog_interval.")]];
 extern int& max_timer_expires [[deprecated("Remove in v4.1. Use zeek::detail::max_timer_expires.")]];
 extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::detail::ignore_checksums.")]];
 extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]];
 extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]];
 extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]];
 extern int& encap_hdr_size [[deprecated("Remove in v4.1. Use zeek::detail::encap_hdr_size.")]];
 extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]];
 extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]];
 extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]];
 extern double& tcp_connection_linger [[deprecated("Remove in v4.1. Use zeek::detail::tcp_connection_linger.")]];
 extern double& tcp_attempt_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_attempt_delay.")]];
 extern double& tcp_close_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_close_delay.")]];
 extern double& tcp_partial_close_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_partial_close_delay.")]];
 extern double& tcp_reset_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_reset_delay.")]];
 extern int& tcp_max_initial_window [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_initial_window.")]];
 extern int& tcp_max_above_hole_without_any_acks [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_above_hole_without_any_acks.")]];
 extern int& tcp_excessive_data_without_further_acks [[deprecated("Remove in v4.1. Use zeek::detail::tcp_excessive_data_without_further_acks.")]];
 extern int& tcp_max_old_segments [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_old_segments.")]];
 extern double& non_analyzed_lifetime [[deprecated("Remove in v4.1. Use zeek::detail::non_analyzed_lifetime.")]];
 extern double& tcp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_inactivity_timeout.")]];
 extern double& udp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::udp_inactivity_timeout.")]];
 extern double& icmp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::icmp_inactivity_timeout.")]];
 extern int& tcp_storm_thresh [[deprecated("Remove in v4.1. Use zeek::detail::tcp_storm_thresh.")]];
 extern double& tcp_storm_interarrival_thresh [[deprecated("Remove in v4.1. Use zeek::detail::tcp_storm_interarrival_thresh.")]];
 extern bool& tcp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::detail::tcp_content_deliver_all_orig.")]];
 extern bool& tcp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::detail::tcp_content_deliver_all_resp.")]];
 extern bool& udp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_deliver_all_orig.")]];
 extern bool& udp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_deliver_all_resp.")]];
 extern bool& udp_content_delivery_ports_use_resp [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_delivery_ports_use_resp.")]];
 extern double& dns_session_timeout [[deprecated("Remove in v4.1. Use zeek::detail::dns_session_timeout.")]];
 extern double& rpc_timeout [[deprecated("Remove in v4.1. Use zeek::detail::rpc_timeout.")]];
 extern int& mime_segment_length [[deprecated("Remove in v4.1. Use zeek::detail::mime_segment_length.")]];
 extern int& mime_segment_overlap_length [[deprecated("Remove in v4.1. Use zeek::detail::mime_segment_overlap_length.")]];
 extern int& http_entity_data_delivery_size [[deprecated("Remove in v4.1. Use zeek::detail::http_entity_data_delivery_size.")]];
 extern int& truncate_http_URI [[deprecated("Remove in v4.1. Use zeek::detail::truncate_http_URI.")]];
 extern int& dns_skip_all_auth [[deprecated("Remove in v4.1. Use zeek::detail::dns_skip_all_auth.")]];
 extern int& dns_skip_all_addl [[deprecated("Remove in v4.1. Use zeek::detail::dns_skip_all_addl.")]];
 extern int& dns_max_queries [[deprecated("Remove in v4.1. Use zeek::detail::dns_max_queries.")]];
 extern double& stp_delta [[deprecated("Remove in v4.1. Use zeek::detail::stp_delta.")]];
 extern double& stp_idle_min [[deprecated("Remove in v4.1. Use zeek::detail::stp_idle_min.")]];
 extern double& table_expire_interval [[deprecated("Remove in v4.1. Use zeek::detail::table_expire_interval.")]];
 extern double& table_expire_delay [[deprecated("Remove in v4.1. Use zeek::detail::table_expire_delay.")]];
 extern int& table_incremental_step [[deprecated("Remove in v4.1. Use zeek::detail::table_incremental_step.")]];
 extern int& orig_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::orig_addr_anonymization.")]];
 extern int& resp_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::resp_addr_anonymization.")]];
 extern int& other_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::other_addr_anonymization.")]];
 extern double& connection_status_update_interval [[deprecated("Remove in v4.1. Use zeek::detail::connection_status_update_interval.")]];
 extern double& profiling_interval [[deprecated("Remove in v4.1. Use zeek::detail::profiling_interval.")]];
 extern int& expensive_profiling_multiple [[deprecated("Remove in v4.1. Use zeek::detail::expensive_profiling_multiple.")]];
 extern int& segment_profiling [[deprecated("Remove in v4.1. Use zeek::detail::segment_profiling.")]];
 extern int& pkt_profile_mode [[deprecated("Remove in v4.1. Use zeek::detail::pkt_profile_mode.")]];
 extern double& pkt_profile_freq [[deprecated("Remove in v4.1. Use zeek::detail::pkt_profile_freq.")]];
 extern int& load_sample_freq [[deprecated("Remove in v4.1. Use zeek::detail::load_sample_freq.")]];
 extern int& packet_filter_default [[deprecated("Remove in v4.1. Use zeek::detail::packet_filter_default.")]];
 extern int& sig_max_group_size [[deprecated("Remove in v4.1. Use zeek::detail::sig_max_group_size.")]];
 extern int& dpd_reassemble_first_packets [[deprecated("Remove in v4.1. Use zeek::detail::dpd_reassemble_first_packets.")]];
 extern int& dpd_buffer_size [[deprecated("Remove in v4.1. Use zeek::detail::dpd_buffer_size.")]];
 extern int& dpd_match_only_beginning [[deprecated("Remove in v4.1. Use zeek::detail::dpd_match_only_beginning.")]];
 extern int& dpd_late_match_stop [[deprecated("Remove in v4.1. Use zeek::detail::dpd_late_match_stop.")]];
 extern int& dpd_ignore_ports [[deprecated("Remove in v4.1. Use zeek::detail::dpd_ignore_ports.")]];
 extern int& check_for_unused_event_handlers [[deprecated("Remove in v4.1. Use zeek::detail::check_for_unused_event_handlers.")]];
 extern double& timer_mgr_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::timer_mgr_inactivity_timeout.")]];
 extern int& record_all_packets [[deprecated("Remove in v4.1. Use zeek::detail::record_all_packets.")]];
 extern bro_uint_t& bits_per_uid [[deprecated("Remove in v4.1. Use zeek::detail::bits_per_uid.")]];
 [[deprecated("Remove in v4.1.  Use zeek::id::conn_id.")]]
 extern zeek::RecordType* conn_id;
 [[deprecated("Remove in v4.1.  Use zeek::id::endpoint.")]]
@ -49,43 +219,9 @@ extern zeek::VectorType* mime_matches;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* mime_match;
 extern int watchdog_interval;
 extern int max_timer_expires;
 extern int ignore_checksums;
 extern int partial_connection_ok;
 extern int tcp_SYN_ack_ok;
 extern int tcp_match_undelivered;
 extern int encap_hdr_size;
 extern double frag_timeout;
 extern double tcp_SYN_timeout;
 extern double tcp_session_timer;
 extern double tcp_connection_linger;
 extern double tcp_attempt_delay;
 extern double tcp_close_delay;
 extern double tcp_partial_close_delay;
 extern double tcp_reset_delay;
 extern int tcp_max_initial_window;
 extern int tcp_max_above_hole_without_any_acks;
 extern int tcp_excessive_data_without_further_acks;
 extern int tcp_max_old_segments;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* socks_address;
 extern double non_analyzed_lifetime;
 extern double tcp_inactivity_timeout;
 extern double udp_inactivity_timeout;
 extern double icmp_inactivity_timeout;
 extern int tcp_storm_thresh;
 extern double tcp_storm_interarrival_thresh;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* tcp_reassembler_ports_orig;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
@ -95,8 +231,6 @@ extern zeek::TableVal* tcp_reassembler_ports_resp;
 extern zeek::TableVal* tcp_content_delivery_ports_orig;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* tcp_content_delivery_ports_resp;
 extern bool tcp_content_deliver_all_orig;
 extern bool tcp_content_deliver_all_resp;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* udp_content_delivery_ports_orig;
@ -104,26 +238,15 @@ extern zeek::TableVal* udp_content_delivery_ports_orig;
 extern zeek::TableVal* udp_content_delivery_ports_resp;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* udp_content_ports;
 extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
 extern bool udp_content_delivery_ports_use_resp;
 extern double dns_session_timeout;
 extern double rpc_timeout;
 extern int mime_segment_length;
 extern int mime_segment_overlap_length;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* mime_header_rec;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableType* mime_header_list;
 extern int http_entity_data_delivery_size;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* http_stats_rec;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* http_message_stat;
 extern int truncate_http_URI;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* pm_mapping;
@ -164,21 +287,10 @@ extern zeek::RecordType* dns_ds_rr;
 extern zeek::TableVal* dns_skip_auth;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* dns_skip_addl;
 extern int dns_skip_all_auth;
 extern int dns_skip_all_addl;
 extern int dns_max_queries;
 extern double stp_delta;
 extern double stp_idle_min;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* stp_skip_src;
 extern double table_expire_interval;
 extern double table_expire_delay;
 extern int table_incremental_step;
 extern int orig_addr_anonymization, resp_addr_anonymization;
 extern int other_addr_anonymization;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* preserve_orig_addr;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
@ -186,8 +298,6 @@ extern zeek::TableVal* preserve_resp_addr;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* preserve_other_addr;
 extern double connection_status_update_interval;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* rotate_info;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
@ -198,44 +308,21 @@ extern zeek::StringVal* peer_description;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::Val* profiling_file;
 extern double profiling_interval;
 extern int expensive_profiling_multiple;
 extern int segment_profiling;
 extern int pkt_profile_mode;
 extern double pkt_profile_freq;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::Val* pkt_profile_file;
 extern int load_sample_freq;
 extern int packet_filter_default;
 extern int sig_max_group_size;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableType* irc_join_list;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* irc_join_info;
 extern int dpd_reassemble_first_packets;
 extern int dpd_buffer_size;
 extern int dpd_match_only_beginning;
 extern int dpd_late_match_stop;
 extern int dpd_ignore_ports;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::TableVal* likely_server_ports;
 extern int check_for_unused_event_handlers;
 extern double timer_mgr_inactivity_timeout;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::StringVal* trace_output_file;
 extern int record_all_packets;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::RecordType* script_id;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
@ -255,14 +342,6 @@ extern zeek::StringVal* cmd_line_bpf_filter;
 [[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern zeek::StringVal* global_hash_seed;
 extern bro_uint_t bits_per_uid;
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();
 extern void init_event_handlers();
 extern void init_net_var();
 #include "const.bif.netvar_h"
 #include "types.bif.netvar_h"
 #include "event.bif.netvar_h"
--- a/src/Notifier.cc
+++ b/src/Notifier.cc
@ -5,25 +5,28 @@
 #include <set>
-notifier::Registry notifier::registry;
+zeek::notifier::detail::Registry zeek::notifier::detail::registry;
 zeek::notifier::detail::Registry& notifier::registry = zeek::notifier::detail::registry;
-notifier::Receiver::Receiver()
+namespace zeek::notifier::detail {
 Receiver::Receiver()
 	{
 	DBG_LOG(zeek::DBG_NOTIFIERS, "creating receiver %p", this);
 	}
-notifier::Receiver::~Receiver()
+Receiver::~Receiver()
 	{
 	DBG_LOG(zeek::DBG_NOTIFIERS, "deleting receiver %p", this);
 	}
-notifier::Registry::~Registry()
+Registry::~Registry()
 	{
 	while ( registrations.begin() != registrations.end() )
 		Unregister(registrations.begin()->first);
 	}
-void notifier::Registry::Register(Modifiable* m, notifier::Receiver* r)
+void Registry::Register(Modifiable* m, Receiver* r)
 	{
 	DBG_LOG(zeek::DBG_NOTIFIERS, "registering object %p for receiver %p", m, r);
@ -31,7 +34,7 @@ void notifier::Registry::Register(Modifiable* m, notifier::Receiver* r)
 	++m->num_receivers;
 	}
-void notifier::Registry::Unregister(Modifiable* m, notifier::Receiver* r)
+void Registry::Unregister(Modifiable* m, Receiver* r)
 	{
 	DBG_LOG(zeek::DBG_NOTIFIERS, "unregistering object %p from receiver %p", m, r);
@ -47,7 +50,7 @@ void notifier::Registry::Unregister(Modifiable* m, notifier::Receiver* r)
 		}
 	}
-void notifier::Registry::Unregister(Modifiable* m)
+void Registry::Unregister(Modifiable* m)
 	{
 	DBG_LOG(zeek::DBG_NOTIFIERS, "unregistering object %p from all notifiers", m);
@ -58,7 +61,7 @@ void notifier::Registry::Unregister(Modifiable* m)
 	registrations.erase(x.first, x.second);
 	}
-void notifier::Registry::Modified(Modifiable* m)
+void Registry::Modified(Modifiable* m)
 	{
 	DBG_LOG(zeek::DBG_NOTIFIERS, "object %p has been modified", m);
@ -67,7 +70,7 @@ void notifier::Registry::Modified(Modifiable* m)
 		i->second->Modified(m);
 	}
-void notifier::Registry::Terminate()
+void Registry::Terminate()
 	{
 	std::set<Receiver*> receivers;
@ -78,8 +81,10 @@ void notifier::Registry::Terminate()
 		r->Terminate();
 	}
-notifier::Modifiable::~Modifiable()
+Modifiable::~Modifiable()
 	{
 	if ( num_receivers )
 		registry.Unregister(this);
 	}
 } // namespace zeek::notifier::detail
--- a/src/Notifier.h
+++ b/src/Notifier.h
@ -10,7 +10,7 @@
 #include <unordered_map>
 #include <cstdint>
-namespace notifier  {
+namespace zeek::notifier::detail  {
 class Modifiable;
@ -118,4 +118,14 @@ protected:
 	uint64_t num_receivers = 0;
 };
-}
+} // namespace zeek::notifier::detail
 namespace notifier {
 using Receiver [[deprecated("Remove in v4.1. Use zeek::notifier::detail::Receiver.")]] = zeek::notifier::detail::Receiver;
 using Registry [[deprecated("Remove in v4.1. Use zeek::notifier::detail::Registry.")]] = zeek::notifier::detail::Registry;
 using Modifiable [[deprecated("Remove in v4.1. Use zeek::notifier::detail::Modifiable.")]] = zeek::notifier::detail::Modifiable;
 extern zeek::notifier::detail::Registry& registry [[deprecated("Remove from v4.1. Use zeek::notifier::detail::registry.")]];
 } // namespace notifier
--- a/src/Obj.cc
+++ b/src/Obj.cc
@ -45,7 +45,7 @@ void Location::Describe(zeek::ODesc* d) const
 bool Location::operator==(const Location& l) const
 	{
 	if ( filename == l.filename ||
-	     (filename && l.filename && streq(filename, l.filename)) )
+	     (filename && l.filename && zeek::util::streq(filename, l.filename)) )
 		return first_line == l.first_line && last_line == l.last_line;
 	else
 		return false;
@ -137,7 +137,7 @@ bool Obj::SetLocationInfo(const detail::Location* start, const detail::Location*
 	if ( ! start || ! end )
 		return false;
-	if ( end->filename && ! streq(start->filename, end->filename) )
+	if ( end->filename && ! zeek::util::streq(start->filename, end->filename) )
 		return false;
 	if ( location && (start == &zeek::detail::no_location || end == &zeek::detail::no_location) )
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@ -706,7 +706,7 @@ BloomFilterVal::BloomFilterVal()
 	bloom_filter = nullptr;
 	}
-BloomFilterVal::BloomFilterVal(probabilistic::BloomFilter* bf)
+BloomFilterVal::BloomFilterVal(zeek::probabilistic::BloomFilter* bf)
 	: OpaqueVal(bloomfilter_type)
 	{
 	hash = nullptr;
@ -784,7 +784,7 @@ BloomFilterValPtr BloomFilterVal::Merge(const BloomFilterVal* x,
 		return nullptr;
 		}
-	probabilistic::BloomFilter* copy = x->bloom_filter->Clone();
+	zeek::probabilistic::BloomFilter* copy = x->bloom_filter->Clone();
 	if ( ! copy->Merge(y->bloom_filter) )
 		{
@ -851,7 +851,7 @@ bool BloomFilterVal::DoUnserialize(const broker::data& data)
 			return false;
 		}
-	auto bf = probabilistic::BloomFilter::Unserialize((*v)[1]);
+	auto bf = zeek::probabilistic::BloomFilter::Unserialize((*v)[1]);
 	if ( ! bf )
 		return false;
@ -865,7 +865,7 @@ CardinalityVal::CardinalityVal() : OpaqueVal(cardinality_type)
 	hash = nullptr;
 	}
-CardinalityVal::CardinalityVal(probabilistic::CardinalityCounter* arg_c)
+CardinalityVal::CardinalityVal(zeek::probabilistic::detail::CardinalityCounter* arg_c)
 	: OpaqueVal(cardinality_type)
 	{
 	c = arg_c;
@ -881,7 +881,7 @@ CardinalityVal::~CardinalityVal()
 ValPtr CardinalityVal::DoClone(CloneState* state)
 	{
 	return state->NewClone(this,
-			       zeek::make_intrusive<CardinalityVal>(new probabilistic::CardinalityCounter(*c)));
+			       zeek::make_intrusive<CardinalityVal>(new zeek::probabilistic::detail::CardinalityCounter(*c)));
 	}
 bool CardinalityVal::Typify(zeek::TypePtr arg_type)
@ -945,7 +945,7 @@ bool CardinalityVal::DoUnserialize(const broker::data& data)
 			return false;
 		}
-	auto cu = probabilistic::CardinalityCounter::Unserialize((*v)[1]);
+	auto cu = zeek::probabilistic::detail::CardinalityCounter::Unserialize((*v)[1]);
 	if ( ! cu )
 		return false;
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@ -14,10 +14,8 @@
 namespace broker { class data; }
-namespace probabilistic {
+ZEEK_FORWARD_DECLARE_NAMESPACED(BloomFilter, zeek, probabilistic);
-	class BloomFilter;
+ZEEK_FORWARD_DECLARE_NAMESPACED(CardinalityCounter, zeek, probabilistic, detail);
 	class CardinalityCounter;
 }
 namespace zeek {
@ -306,7 +304,7 @@ private:
 class BloomFilterVal : public OpaqueVal {
 public:
-	explicit BloomFilterVal(probabilistic::BloomFilter* bf);
+	explicit BloomFilterVal(zeek::probabilistic::BloomFilter* bf);
 	~BloomFilterVal() override;
 	ValPtr DoClone(CloneState* state) override;
@ -337,13 +335,13 @@ private:
 	zeek::TypePtr type;
 	zeek::detail::CompositeHash* hash;
-	probabilistic::BloomFilter* bloom_filter;
+	zeek::probabilistic::BloomFilter* bloom_filter;
 };
 class CardinalityVal : public OpaqueVal {
 public:
-	explicit CardinalityVal(probabilistic::CardinalityCounter*);
+	explicit CardinalityVal(zeek::probabilistic::detail::CardinalityCounter*);
 	~CardinalityVal() override;
 	ValPtr DoClone(CloneState* state) override;
@ -355,7 +353,7 @@ public:
 	bool Typify(zeek::TypePtr type);
-	probabilistic::CardinalityCounter* Get()	{ return c; };
+	zeek::probabilistic::detail::CardinalityCounter* Get()	{ return c; };
 protected:
 	CardinalityVal();
@ -364,7 +362,7 @@ protected:
 private:
 	zeek::TypePtr type;
 	zeek::detail::CompositeHash* hash;
-	probabilistic::CardinalityCounter* c;
+	zeek::probabilistic::detail::CardinalityCounter* c;
 };
 class ParaglobVal : public OpaqueVal {
@ -383,7 +381,7 @@ private:
 	std::unique_ptr<paraglob::Paraglob> internal_paraglob;
 };
-}
+} // namespace zeek
 using OpaqueMgr [[deprecated("Remove in v4.1. Use zeek::OpaqueMgr instead.")]] = zeek::OpaqueMgr;
 using OpaqueVal [[deprecated("Remove in v4.1. Use zeek::OpaqueVal instead.")]] = zeek::OpaqueVal;
--- a/src/Options.cc
+++ b/src/Options.cc
@ -15,14 +15,16 @@
 #include "bsd-getopt-long.h"
 #include "logging/writers/ascii/Ascii.h"
-void zeek::Options::filter_supervisor_options()
+namespace zeek {
 void Options::filter_supervisor_options()
 	{
 	pcap_filter = {};
 	signature_files = {};
 	pcap_output_file = {};
 	}
-void zeek::Options::filter_supervised_node_options()
+void Options::filter_supervised_node_options()
 	{
 	auto og = *this;
 	*this = {};
@ -64,14 +66,14 @@ void zeek::Options::filter_supervised_node_options()
 	script_options_to_set = og.script_options_to_set;
 	}
-bool zeek::fake_dns()
+bool fake_dns()
 	{
-	return zeekenv("ZEEK_DNS_FAKE");
+	return zeek::util::zeekenv("ZEEK_DNS_FAKE");
 	}
 extern const char* zeek_version();
-void zeek::usage(const char* prog, int code)
+void usage(const char* prog, int code)
 	{
 	fprintf(stderr, "zeek version %s\n", zeek_version());
@ -121,16 +123,16 @@ void zeek::usage(const char* prog, int code)
 #endif
 	fprintf(stderr, "    --test                         | run unit tests ('--test -h' for help, only when compiling with ENABLE_ZEEK_UNIT_TESTS)\n");
-	fprintf(stderr, "    $ZEEKPATH                      | file search path (%s)\n", bro_path().c_str());
+	fprintf(stderr, "    $ZEEKPATH                      | file search path (%s)\n", zeek::util::zeek_path().c_str());
-	fprintf(stderr, "    $ZEEK_PLUGIN_PATH              | plugin search path (%s)\n", bro_plugin_path());
+	fprintf(stderr, "    $ZEEK_PLUGIN_PATH              | plugin search path (%s)\n", zeek::util::zeek_plugin_path());
-	fprintf(stderr, "    $ZEEK_PLUGIN_ACTIVATE          | plugins to always activate (%s)\n", bro_plugin_activate());
+	fprintf(stderr, "    $ZEEK_PLUGIN_ACTIVATE          | plugins to always activate (%s)\n", zeek::util::zeek_plugin_activate());
-	fprintf(stderr, "    $ZEEK_PREFIXES                 | prefix list (%s)\n", bro_prefixes().c_str());
+	fprintf(stderr, "    $ZEEK_PREFIXES                 | prefix list (%s)\n", zeek::util::zeek_prefixes().c_str());
 	fprintf(stderr, "    $ZEEK_DNS_FAKE                 | disable DNS lookups (%s)\n", zeek::fake_dns() ? "on" : "off");
 	fprintf(stderr, "    $ZEEK_SEED_FILE                | file to load seeds from (not set)\n");
-	fprintf(stderr, "    $ZEEK_LOG_SUFFIX               | ASCII log file extension (.%s)\n", logging::writer::Ascii::LogExt().c_str());
+	fprintf(stderr, "    $ZEEK_LOG_SUFFIX               | ASCII log file extension (.%s)\n", zeek::logging::writer::detail::Ascii::LogExt().c_str());
 	fprintf(stderr, "    $ZEEK_PROFILER_FILE            | Output file for script execution statistics (not set)\n");
-	fprintf(stderr, "    $ZEEK_DISABLE_ZEEKYGEN         | Disable Zeekygen documentation support (%s)\n", zeekenv("ZEEK_DISABLE_ZEEKYGEN") ? "set" : "not set");
+	fprintf(stderr, "    $ZEEK_DISABLE_ZEEKYGEN         | Disable Zeekygen documentation support (%s)\n", zeek::util::zeekenv("ZEEK_DISABLE_ZEEKYGEN") ? "set" : "not set");
-	fprintf(stderr, "    $ZEEK_DNS_RESOLVER             | IPv4/IPv6 address of DNS resolver to use (%s)\n", zeekenv("ZEEK_DNS_RESOLVER") ? zeekenv("ZEEK_DNS_RESOLVER") : "not set, will use first IPv4 address from /etc/resolv.conf");
+	fprintf(stderr, "    $ZEEK_DNS_RESOLVER             | IPv4/IPv6 address of DNS resolver to use (%s)\n", zeek::util::zeekenv("ZEEK_DNS_RESOLVER") ? zeek::util::zeekenv("ZEEK_DNS_RESOLVER") : "not set, will use first IPv4 address from /etc/resolv.conf");
 	fprintf(stderr, "    $ZEEK_DEBUG_LOG_STDERR         | Use stderr for debug logs generated via the -B flag");
 	fprintf(stderr, "\n");
@ -138,9 +140,9 @@ void zeek::usage(const char* prog, int code)
 	exit(code);
 	}
-zeek::Options zeek::parse_cmdline(int argc, char** argv)
+Options parse_cmdline(int argc, char** argv)
 	{
-	zeek::Options rval;
+	Options rval;
 	// When running unit tests, the first argument on the command line must be
 	// --test, followed by doctest options. Optionally, users can use "--" as
@ -236,8 +238,8 @@ zeek::Options zeek::parse_cmdline(int argc, char** argv)
 	};
 	char opts[256];
-	safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
+	zeek::util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
-	             sizeof(opts));
+	                         sizeof(opts));
 #ifdef USE_PERFTOOLS_DEBUG
 	strncat(opts, "mM", 2);
@ -431,7 +433,7 @@ zeek::Options zeek::parse_cmdline(int argc, char** argv)
 		if ( path->empty() )
 			return;
-		*path = normalize_path(*path);
+		*path = zeek::util::detail::normalize_path(*path);
 		if ( (*path)[0] == '/' || (*path)[0] == '~' )
 			// Absolute path
@ -440,7 +442,7 @@ zeek::Options zeek::parse_cmdline(int argc, char** argv)
 		if ( (*path)[0] != '.' )
 			{
 			// Look up file in ZEEKPATH
-			auto res = find_script_file(*path, bro_path());
+			auto res = zeek::util::find_script_file(*path, zeek::util::zeek_path());
 			if ( res.empty() )
 				{
@ -479,3 +481,5 @@ zeek::Options zeek::parse_cmdline(int argc, char** argv)
 	return rval;
 	}
 } // namespace zeek
--- a/src/PacketDumper.cc
+++ b/src/PacketDumper.cc
@ -33,7 +33,7 @@ void PacketDumper::DumpPacket(const struct pcap_pkthdr* hdr,
 void PacketDumper::SortTimeStamp(struct timeval* timestamp)
 	{
-	if ( time_compare(&last_timestamp, timestamp) > 0 )
+	if ( zeek::util::time_compare(&last_timestamp, timestamp) > 0 )
 		*timestamp = last_timestamp;
 	else
 		last_timestamp = *timestamp;
--- a/src/PacketFilter.cc
+++ b/src/PacketFilter.cc
@ -20,7 +20,7 @@ void PacketFilter::AddSrc(const zeek::IPAddr& src, uint32_t tcp_flags, double pr
 	{
 	Filter* f = new Filter;
 	f->tcp_flags = tcp_flags;
-	f->probability = probability * static_cast<double>(zeek::max_random());
+	f->probability = probability * static_cast<double>(zeek::util::detail::max_random());
 	auto prev = static_cast<Filter*>(src_filter.Insert(src, 128, f));
 	delete prev;
 	}
@ -29,7 +29,7 @@ void PacketFilter::AddSrc(zeek::Val* src, uint32_t tcp_flags, double probability
 	{
 	Filter* f = new Filter;
 	f->tcp_flags = tcp_flags;
-	f->probability = probability * static_cast<double>(zeek::max_random());
+	f->probability = probability * static_cast<double>(zeek::util::detail::max_random());
 	auto prev = static_cast<Filter*>(src_filter.Insert(src, f));
 	delete prev;
 	}
@ -38,7 +38,7 @@ void PacketFilter::AddDst(const zeek::IPAddr& dst, uint32_t tcp_flags, double pr
 	{
 	Filter* f = new Filter;
 	f->tcp_flags = tcp_flags;
-	f->probability = probability * static_cast<double>(zeek::max_random());
+	f->probability = probability * static_cast<double>(zeek::util::detail::max_random());
 	auto prev = static_cast<Filter*>(dst_filter.Insert(dst, 128, f));
 	delete prev;
 	}
@ -47,7 +47,7 @@ void PacketFilter::AddDst(zeek::Val* dst, uint32_t tcp_flags, double probability
 	{
 	Filter* f = new Filter;
 	f->tcp_flags = tcp_flags;
-	f->probability = probability * static_cast<double>(zeek::max_random());
+	f->probability = probability * static_cast<double>(zeek::util::detail::max_random());
 	auto prev = static_cast<Filter*>(dst_filter.Insert(dst, f));
 	delete prev;
 	}
@ -115,7 +115,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const zeek::IP_Hdr& ip,
 			return false;
 		}
-	return zeek::random_number() < f.probability;
+	return zeek::util::detail::random_number() < f.probability;
 	}
 } // namespace zeek::detail
--- a/src/Pipe.cc
+++ b/src/Pipe.cc
@ -12,7 +12,7 @@ using namespace zeek::detail;
 static void pipe_fail(int eno)
 	{
 	char tmp[256];
-	bro_strerror_r(eno, tmp, sizeof(tmp));
+	zeek::util::zeek_strerror_r(eno, tmp, sizeof(tmp));
 	if ( zeek::reporter )
 		zeek::reporter->FatalError("Pipe failure: %s", tmp);
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@ -10,13 +10,13 @@
 #include <string>
 #include <vector>
 using namespace std;
 #include "Debug.h"
 #include "util.h"
 #include "PolicyFile.h"
 #include "Reporter.h"
 using namespace std;
 struct PolicyFile {
 	PolicyFile ()	{ filedata = nullptr; lmtime = 0; }
 	~PolicyFile ()	{ delete [] filedata; filedata = nullptr; }
@ -29,6 +29,8 @@ struct PolicyFile {
 typedef map<string, PolicyFile*> PolicyFileMap;
 static PolicyFileMap policy_files;
 namespace zeek::detail {
 int how_many_lines_in(const char* policy_filename)
 	{
 	if ( ! policy_filename )
@ -84,7 +86,7 @@ bool LoadPolicyFileText(const char* policy_filename)
 	if ( fstat(fileno(f), &st) != 0 )
 		{
 		char buf[256];
-		bro_strerror_r(errno, buf, sizeof(buf));
+		zeek::util::zeek_strerror_r(errno, buf, sizeof(buf));
 		zeek::reporter->Error("fstat failed on %s: %s", policy_filename, buf);
 		fclose(f);
 		return false;
@ -174,3 +176,5 @@ bool PrintLines(const char* policy_filename, unsigned int start_line,
 	return true;
 	}
 } // namespace zeek::detail
--- a/src/PolicyFile.h
+++ b/src/PolicyFile.h
@ -14,10 +14,14 @@
 // policy_filename arguments should be absolute or relative paths;
 // no expansion is done.
 namespace zeek::detail {
 int how_many_lines_in(const char* policy_filename);
 bool LoadPolicyFileText(const char* policy_filename);
 // start_line is 1-based (the intuitive way)
 bool PrintLines(const char* policy_filename, unsigned int start_line,
-		unsigned int how_many_lines, bool show_numbers);
+                unsigned int how_many_lines, bool show_numbers);
 } // namespace zeek::detail
--- a/src/PrefixTable.cc
+++ b/src/PrefixTable.cc
@ -6,7 +6,7 @@ namespace zeek::detail {
 prefix_t* PrefixTable::MakePrefix(const zeek::IPAddr& addr, int width)
 	{
-	prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
+	prefix_t* prefix = (prefix_t*) zeek::util::safe_malloc(sizeof(prefix_t));
 	addr.CopyIPv6(&prefix->add.sin6);
 	prefix->family = AF_INET6;
--- a/src/RE.cc
+++ b/src/RE.cc
@ -423,21 +423,21 @@ unsigned int Specific_RE_Matcher::MemoryAllocation() const
 	for ( int i = 0; i < ccl_list.length(); ++i )
 		size += ccl_list[i]->MemoryAllocation();
-	size += pad_size(sizeof(CCL*) * ccl_dict.size());
+	size += zeek::util::pad_size(sizeof(CCL*) * ccl_dict.size());
 	for ( const auto& entry : ccl_dict )
 		{
-		size += padded_sizeof(std::string) + pad_size(sizeof(std::string::value_type) * entry.first.size());
+		size += padded_sizeof(std::string) + zeek::util::pad_size(sizeof(std::string::value_type) * entry.first.size());
 		size += entry.second->MemoryAllocation();
 		}
 	for ( const auto& entry : defs )
 		{
-		size += padded_sizeof(std::string) + pad_size(sizeof(std::string::value_type) * entry.first.size());
+		size += padded_sizeof(std::string) + zeek::util::pad_size(sizeof(std::string::value_type) * entry.first.size());
-		size += padded_sizeof(std::string) + pad_size(sizeof(std::string::value_type) * entry.second.size());
+		size += padded_sizeof(std::string) + zeek::util::pad_size(sizeof(std::string::value_type) * entry.second.size());
 		}
 	return size + padded_sizeof(*this)
-		+ (pattern_text ? pad_size(strlen(pattern_text) + 1) : 0)
+		+ (pattern_text ? zeek::util::pad_size(strlen(pattern_text) + 1) : 0)
 		+ ccl_list.MemoryAllocation() - padded_sizeof(ccl_list)
 		+ equiv_class.Size() - padded_sizeof(EquivClass)
 		+ (dfa ? dfa->MemoryAllocation() : 0) // this is ref counted; consider the bytes here?
--- a/src/RE.h
+++ b/src/RE.h
@ -59,7 +59,7 @@ public:
 	void MakeCaseInsensitive();
-	void SetPat(const char* pat)	{ pattern_text = copy_string(pat); }
+	void SetPat(const char* pat)	{ pattern_text = zeek::util::copy_string(pat); }
 	bool Compile(bool lazy = false);
--- a/src/Reassem.h
+++ b/src/Reassem.h
@ -27,7 +27,6 @@ enum ReassemblerType {
 class Reassembler;
 /**
 * A block/segment of data for use in the reassembly process.
 */
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@ -12,7 +12,7 @@
 #include "Event.h"
 #include "Expr.h"
 #include "NetVar.h"
-#include "Net.h"
+#include "RunState.h"
 #include "Conn.h"
 #include "Timer.h"
 #include "ID.h"
@ -126,7 +126,7 @@ void Reporter::FatalError(const char* fmt, ...)
 	va_end(ap);
-	set_processing_status("TERMINATED", "fatal_error");
+	zeek::util::detail::set_processing_status("TERMINATED", "fatal_error");
 	fflush(stderr);
 	fflush(stdout);
 	_exit(1);
@ -142,7 +142,7 @@ void Reporter::FatalErrorWithCore(const char* fmt, ...)
 	va_end(ap);
-	set_processing_status("TERMINATED", "fatal_error");
+	zeek::util::detail::set_processing_status("TERMINATED", "fatal_error");
 	abort();
 	}
@ -195,7 +195,7 @@ void Reporter::InternalError(const char* fmt, ...)
 	va_end(ap);
-	set_processing_status("TERMINATED", "internal_error");
+	zeek::util::detail::set_processing_status("TERMINATED", "internal_error");
 	abort();
 	}
@ -226,7 +226,7 @@ void Reporter::InternalWarning(const char* fmt, ...)
 void Reporter::Syslog(const char* fmt, ...)
 	{
-	if ( reading_traces )
+	if ( zeek::run_state::reading_traces )
 		return;
 	va_list ap;
@ -235,7 +235,7 @@ void Reporter::Syslog(const char* fmt, ...)
 	va_end(ap);
 	}
-void Reporter::WeirdHelper(EventHandlerPtr event, val_list vl, const char* fmt_name, ...)
+void Reporter::WeirdHelper(EventHandlerPtr event, ValPList vl, const char* fmt_name, ...)
 	{
 	va_list ap;
 	va_start(ap, fmt_name);
@ -313,7 +313,7 @@ bool Reporter::PermitNetWeird(const char* name)
 	++count;
 	if ( count == 1 )
-		zeek::detail::timer_mgr->Add(new NetWeirdTimer(network_time, name,
+		zeek::detail::timer_mgr->Add(new NetWeirdTimer(zeek::run_state::network_time, name,
 		                                               weird_sampling_duration));
 	if ( count <= weird_sampling_threshold )
@ -333,7 +333,7 @@ bool Reporter::PermitFlowWeird(const char* name,
 	auto& map = flow_weird_state[endpoints];
 	if ( map.empty() )
-		zeek::detail::timer_mgr->Add(new FlowWeirdTimer(network_time, endpoints,
+		zeek::detail::timer_mgr->Add(new FlowWeirdTimer(zeek::run_state::network_time, endpoints,
 		                                                weird_sampling_duration));
 	auto& count = map[name];
@ -360,7 +360,7 @@ bool Reporter::PermitExpiredConnWeird(const char* name, const zeek::RecordVal& c
 	auto& map = expired_conn_weird_state[conn_tuple];
 	if ( map.empty() )
-		zeek::detail::timer_mgr->Add(new ConnTupleWeirdTimer(network_time,
+		zeek::detail::timer_mgr->Add(new ConnTupleWeirdTimer(zeek::run_state::network_time,
 		                                                     std::move(conn_tuple),
 		                                                     weird_sampling_duration));
@ -453,7 +453,7 @@ void Reporter::Weird(const zeek::IPAddr& orig, const zeek::IPAddr& resp, const c
 	}
 void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
-                     Connection* conn, val_list* addl, bool location, bool time,
+                     Connection* conn, ValPList* addl, bool location, bool time,
                     const char* postfix, const char* fmt, va_list ap)
 	{
 	static char tmp[512];
@ -562,7 +562,8 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		vl.reserve(vl_size);
 		if ( time )
-			vl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(network_time ? network_time : current_time()));
+			vl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(
 				                zeek::run_state::network_time ? zeek::run_state::network_time : zeek::util::current_time()));
 		vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(buffer));
@ -594,10 +595,10 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		{
 		std::string s = "";
-		if ( bro_start_network_time != 0.0 )
+		if ( zeek::run_state::zeek_start_network_time != 0.0 )
 			{
 			char tmp[32];
-			snprintf(tmp, 32, "%.6f", network_time);
+			snprintf(tmp, 32, "%.6f", zeek::run_state::network_time);
 			s += std::string(tmp) + " ";
 			}
--- a/src/Reporter.h
+++ b/src/Reporter.h
@ -12,11 +12,11 @@
 #include <unordered_set>
 #include <unordered_map>
-#include "BroList.h"
+#include "ZeekList.h"
 #include "net_util.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
-namespace file_analysis { class File; }
+ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
@ -260,12 +260,12 @@ public:
 private:
 	void DoLog(const char* prefix, zeek::EventHandlerPtr event, FILE* out,
-		   Connection* conn, val_list* addl, bool location, bool time,
+		   Connection* conn, ValPList* addl, bool location, bool time,
 		   const char* postfix, const char* fmt, va_list ap) __attribute__((format(printf, 10, 0)));
 	// WeirdHelper doesn't really have to be variadic, but it calls DoLog
 	// and that takes va_list anyway.
-	void WeirdHelper(zeek::EventHandlerPtr event, val_list vl, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));;
+	void WeirdHelper(zeek::EventHandlerPtr event, ValPList vl, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));;
 	void UpdateWeirdStats(const char* name);
 	inline bool WeirdOnSamplingWhiteList(const char* name)
 		{ return weird_sampling_whitelist.find(name) != weird_sampling_whitelist.end(); }
--- a/src/Rule.cc
+++ b/src/Rule.cc
@ -75,7 +75,7 @@ void Rule::AddPattern(const char* str, Rule::PatternType type,
 			uint32_t offset, uint32_t depth)
 	{
 	Pattern* p = new Pattern;
-	p->pattern = copy_string(str);
+	p->pattern = zeek::util::copy_string(str);
 	p->type = type;
 	p->id = ++pattern_counter;
 	p->offset = offset;
@ -88,7 +88,7 @@ void Rule::AddPattern(const char* str, Rule::PatternType type,
 void Rule::AddRequires(const char* id, bool opposite_direction, bool negate)
 	{
 	Precond* p = new Precond;
-	p->id = copy_string(id);
+	p->id = zeek::util::copy_string(id);
 	p->rule = nullptr;
 	p->opposite_dir = opposite_direction;
 	p->negate = negate;
--- a/src/Rule.h
+++ b/src/Rule.h
@ -24,7 +24,7 @@ class Rule {
 public:
 	Rule(const char* arg_id, const zeek::detail::Location& arg_location)
 		{
-		id = copy_string(arg_id);
+		id = zeek::util::copy_string(arg_id);
 		idx = rule_counter++;
 		location = arg_location;
 		active = true;
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@ -16,7 +16,7 @@ namespace zeek::detail {
 RuleActionEvent::RuleActionEvent(const char* arg_msg)
 	{
-	msg = copy_string(arg_msg);
+	msg = zeek::util::copy_string(arg_msg);
 	}
 void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
@ -38,7 +38,7 @@ void RuleActionEvent::PrintDebug()
 RuleActionMIME::RuleActionMIME(const char* arg_mime, int arg_strength)
 	{
-	mime = copy_string(arg_mime);
+	mime = zeek::util::copy_string(arg_mime);
 	strength = arg_strength;
 	}
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@ -9,15 +9,15 @@
 #include "ID.h"
 #include "Val.h"
-static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
+static inline bool is_established(const zeek::analyzer::tcp::TCP_Endpoint* e)
 	{
 	// We more or less follow Snort here: an established session
 	// is one for which the initial handshake has succeded (but we
 	// add partial connections).  The connection tear-down is part
 	// of the connection.
-	return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
+	return e->state != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
-	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
+	       e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
-	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
+	       e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
 	}
 namespace zeek::detail {
@ -30,7 +30,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
 	if ( ! root || ! root->IsAnalyzer("TCP") )
 		return false;
-	::analyzer::tcp::TCP_Analyzer* ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(root);
+	auto* ta = static_cast<zeek::analyzer::tcp::TCP_Analyzer*>(root);
 	if ( tcpstates & STATE_STATELESS )
 		return true;
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@ -22,6 +22,7 @@
 #include "module_util.h"
 #include "Var.h"
 #include "IPAddr.h"
 #include "RunState.h"
 using namespace std;
@ -113,7 +114,7 @@ RuleHdrTest::RuleHdrTest(RuleHdrTest& h)
 			copied_set->re = nullptr;
 			copied_set->ids = orig_set->ids;
 			for ( const auto& pattern : orig_set->patterns )
-				copied_set->patterns.push_back(copy_string(pattern));
+				copied_set->patterns.push_back(zeek::util::copy_string(pattern));
 			delete copied_set;
 			// TODO: Why do we create copied_set only to then
 			// never use it?
@ -184,8 +185,8 @@ void RuleHdrTest::PrintDebug()
 	}
 RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
-					  RuleEndpointState* arg_opposite,
+                                     RuleEndpointState* arg_opposite,
-					  ::analyzer::pia::PIA* arg_PIA)
+                                     zeek::analyzer::pia::PIA* arg_PIA)
 	{
 	payload_size = -1;
 	analyzer = arg_analyzer;
@ -261,7 +262,7 @@ bool RuleMatcher::ReadFiles(const std::vector<std::string>& files)
 	for ( const auto& f : files )
 		{
-		rules_in = open_file(find_file(f, bro_path(), ".sig"));
+		rules_in = zeek::util::open_file(zeek::util::find_file(f, zeek::util::zeek_path(), ".sig"));
 		if ( ! rules_in )
 			{
@ -673,8 +674,8 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 #ifdef DEBUG
 	if ( debug_logger.IsEnabled(zeek::DBG_RULES) )
 		{
-		const char* s = fmt_bytes(reinterpret_cast<const char*>(data),
+		const char* s = zeek::util::fmt_bytes(reinterpret_cast<const char*>(data),
-		                          min(40, static_cast<int>(len)));
+		                                      min(40, static_cast<int>(len)));
 		DBG_LOG(zeek::DBG_RULES, "Matching %s rules on |%s%s|",
 		        Rule::TypeToString(Rule::FILE_MAGIC), s,
 		        len > 40 ? "..." : "");
@ -741,7 +742,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
                                             const zeek::IP_Hdr* ip, int caplen,
                                             RuleEndpointState* opposite,
-                                             bool from_orig, ::analyzer::pia::PIA* pia)
+                                             bool from_orig, zeek::analyzer::pia::PIA* pia)
 	{
 	RuleEndpointState* state =
 		new RuleEndpointState(analyzer, from_orig, opposite, pia);
@ -871,7 +872,7 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
 	if ( debug_logger.IsEnabled(zeek::DBG_RULES) )
 		{
 		const char* s =
-			fmt_bytes((const char *) data, min(40, data_len));
+			zeek::util::fmt_bytes((const char *) data, min(40, data_len));
 		DBG_LOG(zeek::DBG_RULES, "Matching %s rules [%d,%d] on |%s%s|",
 				Rule::TypeToString(type), bol, eol, s,
@ -1234,12 +1235,12 @@ void RuleMatcher::DumpStats(zeek::File* f)
 	Stats stats;
 	GetStats(&stats);
-	f->Write(fmt("%.6f computed dfa states = %d; classes = ??; "
+	f->Write(zeek::util::fmt("%.6f computed dfa states = %d; classes = ??; "
-			"computed trans. = %d; matchers = %d; mem = %d\n",
+	                         "computed trans. = %d; matchers = %d; mem = %d\n",
-			network_time, stats.dfa_states, stats.computed,
+	                         zeek::run_state::network_time, stats.dfa_states, stats.computed,
-			stats.matchers, stats.mem));
+	                         stats.matchers, stats.mem));
-	f->Write(fmt("%.6f DFA cache hits = %d; misses = %d\n", network_time,
+	f->Write(zeek::util::fmt("%.6f DFA cache hits = %d; misses = %d\n", zeek::run_state::network_time,
-			stats.hits, stats.misses));
+	                         stats.hits, stats.misses));
 	DumpStateStats(f, root);
 	}
@ -1256,14 +1257,15 @@ void RuleMatcher::DumpStateStats(zeek::File* f, RuleHdrTest* hdr_test)
 			RuleHdrTest::PatternSet* set = hdr_test->psets[i][j];
 			assert(set->re);
-			f->Write(fmt("%.6f %d DFA states in %s group %d from sigs ", network_time,
+			f->Write(zeek::util::fmt("%.6f %d DFA states in %s group %d from sigs ",
-					 set->re->DFA()->NumStates(),
+			                         zeek::run_state::network_time,
-					 Rule::TypeToString((Rule::PatternType)i), j));
+			                         set->re->DFA()->NumStates(),
 			                         Rule::TypeToString((Rule::PatternType)i), j));
 			for ( const auto& id : set->ids )
 				{
 				Rule* r = Rule::rule_table[id - 1];
-				f->Write(fmt("%s ", r->ID()));
+				f->Write(zeek::util::fmt("%s ", r->ID()));
 				}
 			f->Write("\n");
@ -1399,7 +1401,7 @@ char* id_to_str(const char* id)
 	return dst;
 error:
-	char* dummy = copy_string("<error>");
+	char* dummy = zeek::util::copy_string("<error>");
 	return dummy;
 	}
@ -1420,7 +1422,7 @@ uint32_t id_to_uint(const char* id)
 	}
 void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
-                                           int caplen, bool from_orig, ::analyzer::pia::PIA* pia)
+                                           int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia)
 	{
 	if ( ! rule_matcher )
 		return;
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@ -37,10 +37,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IntSet, zeek::detail);
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia);
 namespace analyzer {
 	namespace pia { class PIA; }
 }
 namespace zeek::detail {
@ -154,7 +151,7 @@ public:
 	// Returns -1 if no chunk has been fed yet at all.
 	int PayloadSize()	{ return payload_size; }
-	::analyzer::pia::PIA* PIA() const	{ return pia; }
+	zeek::analyzer::pia::PIA* PIA() const	{ return pia; }
 private:
 	friend class RuleMatcher;
@ -162,7 +159,7 @@ private:
 	// Constructor is private; use RuleMatcher::InitEndpoint()
 	// for creating an instance.
 	RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
-	                  RuleEndpointState* arg_opposite, ::analyzer::pia::PIA* arg_PIA);
+	                  RuleEndpointState* arg_opposite, zeek::analyzer::pia::PIA* arg_PIA);
 	struct Matcher {
 		RE_Match_State* state;
@ -173,7 +170,7 @@ private:
 	zeek::analyzer::Analyzer* analyzer;
 	RuleEndpointState* opposite;
-	::analyzer::pia::PIA* pia;
+	zeek::analyzer::pia::PIA* pia;
 	matcher_list matchers;
 	rule_hdr_test_list hdr_tests;
@ -267,7 +264,7 @@ public:
 	// it needs to be given.
 	RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
 	                                int caplen, RuleEndpointState* opposite, bool is_orig,
-	                                ::analyzer::pia::PIA* pia);
+	                                zeek::analyzer::pia::PIA* pia);
 	// Finish matching for this stream.
 	void FinishEndpoint(RuleEndpointState* state);
@ -376,7 +373,7 @@ public:
 	// ip may be nil.
 	void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
-	                         int caplen, bool from_orig, ::analyzer::pia::PIA* pia = nullptr);
+	                         int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia = nullptr);
 	// bol/eol should be set to false for type Rule::PAYLOAD; they're
 	// deduced automatically.
--- a/src/RunState.cc
+++ b/src/RunState.cc
@ -1,7 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek-config.h"
-#include "Net.h"
+#include "RunState.h"
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME
@ -15,7 +15,6 @@
 # endif
 #endif
 #include <errno.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <unistd.h>
@ -42,29 +41,16 @@ extern "C" {
 extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
 }
-iosource::PktDumper* pkt_dumper = nullptr;
+static double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 extern int signal_val;
-bool reading_live = false;
+namespace zeek::run_state {
-bool reading_traces = false;
+namespace detail {
 zeek::iosource::PktDumper* pkt_dumper = nullptr;
 zeek::iosource::PktSrc* current_pktsrc = nullptr;
 zeek::iosource::IOSource* current_iosrc = nullptr;
 bool have_pending_timers = false;
 double pseudo_realtime = 0.0;
 double network_time = 0.0;	// time according to last packet timestamp
 				// (or current time)
 double processing_start_time = 0.0;	// time started working on current pkt
 double bro_start_time = 0.0; // time Bro started.
 double bro_start_network_time;	// timestamp of first packet
 double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 bool terminating = false;	// whether we're done reading and finishing up
 bool is_parsing = false;
 const zeek::Packet *current_pkt = nullptr;
 int current_dispatched = 0;
 double current_timestamp = 0.0;
 iosource::PktSrc* current_pktsrc = nullptr;
 iosource::IOSource* current_iosrc = nullptr;
 std::list<ScannedFile> files_scanned;
 std::vector<std::string> sig_files;
 RETSIGTYPE watchdog(int /* signo */)
 	{
@ -93,7 +79,7 @@ RETSIGTYPE watchdog(int /* signo */)
 			// handler and the allocation routines are not
 			// reentrant.
-			double ct = current_time();
+			double ct = zeek::util::current_time();
 			int int_ct = int(ct);
 			int frac_ct = int((ct - int_ct) * 1e6);
@ -110,7 +96,7 @@ RETSIGTYPE watchdog(int /* signo */)
 					// saving the packet which caused the
 					// watchdog to trigger may be helpful,
 					// so we'll save that one nevertheless.
-					pkt_dumper = iosource_mgr->OpenPktDumper("watchdog-pkt.pcap", false);
+					pkt_dumper = zeek::iosource_mgr->OpenPktDumper("watchdog-pkt.pcap", false);
 					if ( ! pkt_dumper || pkt_dumper->IsError() )
 						{
 						zeek::reporter->Error("watchdog: can't open watchdog-pkt.pcap for writing");
@ -123,8 +109,8 @@ RETSIGTYPE watchdog(int /* signo */)
 				}
-			net_get_final_stats();
+			get_final_stats();
-			net_finish(0);
+			finish_run(0);
 			zeek::reporter->FatalErrorWithCore(
 				"**watchdog timer expired, t = %d.%06d, start = %d.%06d, dispatched = %d",
@ -135,17 +121,17 @@ RETSIGTYPE watchdog(int /* signo */)
 	last_watchdog_proc_time = processing_start_time;
-	(void) alarm(watchdog_interval);
+	(void) alarm(zeek::detail::watchdog_interval);
 	return RETSIGVAL;
 	}
-void net_update_time(double new_network_time)
+void update_network_time(double new_network_time)
 	{
 	network_time = new_network_time;
 	PLUGIN_HOOK_VOID(HOOK_UPDATE_NETWORK_TIME, HookUpdateNetworkTime(new_network_time));
 	}
-void net_init(const std::optional<std::string>& interface,
+void init_run(const std::optional<std::string>& interface,
              const std::optional<std::string>& pcap_input_file,
              const std::optional<std::string>& pcap_output_file,
              bool do_watchdog)
@ -155,7 +141,7 @@ void net_init(const std::optional<std::string>& interface,
 		reading_live = pseudo_realtime > 0.0;
 		reading_traces = true;
-		iosource::PktSrc* ps = iosource_mgr->OpenPktSrc(*pcap_input_file, false);
+		zeek::iosource::PktSrc* ps = zeek::iosource_mgr->OpenPktSrc(*pcap_input_file, false);
 		assert(ps);
 		if ( ! ps->IsOpen() )
@ -167,7 +153,7 @@ void net_init(const std::optional<std::string>& interface,
 		reading_live = true;
 		reading_traces = false;
-		iosource::PktSrc* ps = iosource_mgr->OpenPktSrc(*interface, true);
+		zeek::iosource::PktSrc* ps = zeek::iosource_mgr->OpenPktSrc(*interface, true);
 		assert(ps);
 		if ( ! ps->IsOpen() )
@ -185,7 +171,7 @@ void net_init(const std::optional<std::string>& interface,
 	if ( pcap_output_file )
 		{
 		const char* writefile = pcap_output_file->data();
-		pkt_dumper = iosource_mgr->OpenPktDumper(writefile, false);
+		pkt_dumper = zeek::iosource_mgr->OpenPktDumper(writefile, false);
 		assert(pkt_dumper);
 		if ( ! pkt_dumper->IsOpen() )
@ -206,31 +192,31 @@ void net_init(const std::optional<std::string>& interface,
 		{
 		// Set up the watchdog to make sure we don't wedge.
 		(void) setsignal(SIGALRM, watchdog);
-		(void) alarm(watchdog_interval);
+		(void) alarm(zeek::detail::watchdog_interval);
 		}
 	}
-void expire_timers(iosource::PktSrc* src_ps)
+void expire_timers(zeek::iosource::PktSrc* src_ps)
 	{
 	zeek::detail::SegmentProfiler prof(zeek::detail::segment_logger, "expiring-timers");
 	current_dispatched +=
 		zeek::detail::timer_mgr->Advance(network_time,
-			max_timer_expires - current_dispatched);
+			zeek::detail::max_timer_expires - current_dispatched);
 	}
-void net_packet_dispatch(double t, const zeek::Packet* pkt, iosource::PktSrc* src_ps)
+void dispatch_packet(double t, const zeek::Packet* pkt, zeek::iosource::PktSrc* src_ps)
 	{
-	if ( ! bro_start_network_time )
+	if ( ! zeek_start_network_time )
 		{
-		bro_start_network_time = t;
+		zeek_start_network_time = t;
 		if ( network_time_init )
 			zeek::event_mgr.Enqueue(network_time_init, zeek::Args{});
 		}
 	// network_time never goes back.
-	net_update_time(zeek::detail::timer_mgr->Time() < t ? t : zeek::detail::timer_mgr->Time());
+	update_network_time(zeek::detail::timer_mgr->Time() < t ? t : zeek::detail::timer_mgr->Time());
 	current_pktsrc = src_ps;
 	current_iosrc = src_ps;
@ -245,9 +231,9 @@ void net_packet_dispatch(double t, const zeek::Packet* pkt, iosource::PktSrc* sr
 		static uint32_t load_freq = 0;
 		if ( load_freq == 0 )
-			load_freq = uint32_t(0xffffffff) / uint32_t(load_sample_freq);
+			load_freq = uint32_t(0xffffffff) / uint32_t(zeek::detail::load_sample_freq);
-		if ( uint32_t(zeek::random_number() & 0xffffffff) < load_freq )
+		if ( uint32_t(zeek::util::detail::random_number() & 0xffffffff) < load_freq )
 			{
 			// Drain the queued timer events so they're not
 			// charged against this sample.
@ -274,17 +260,17 @@ void net_packet_dispatch(double t, const zeek::Packet* pkt, iosource::PktSrc* sr
 	current_pktsrc = nullptr;
 	}
-void net_run()
+void run_loop()
 	{
-	set_processing_status("RUNNING", "net_run");
+	zeek::util::detail::set_processing_status("RUNNING", "run_loop");
-	std::vector<iosource::IOSource*> ready;
+	std::vector<zeek::iosource::IOSource*> ready;
-	ready.reserve(iosource_mgr->TotalSize());
+	ready.reserve(zeek::iosource_mgr->TotalSize());
-	while ( iosource_mgr->Size() ||
+	while ( zeek::iosource_mgr->Size() ||
 		(zeek::BifConst::exit_only_after_terminate && ! terminating) )
 		{
-		iosource_mgr->FindReadySources(&ready);
+		zeek::iosource_mgr->FindReadySources(&ready);
 #ifdef DEBUG
 		static int loop_counter = 0;
@ -294,14 +280,14 @@ void net_run()
 		if ( ! ready.empty() || loop_counter++ % 100 == 0 )
 			{
 			DBG_LOG(zeek::DBG_MAINLOOP, "realtime=%.6f ready_count=%zu",
-				current_time(), ready.size());
+			        zeek::util::current_time(), ready.size());
 			if ( ! ready.empty() )
 				loop_counter = 0;
 			}
 #endif
 		current_iosrc = nullptr;
-		auto communication_enabled = broker_mgr->Active();
+		auto communication_enabled = zeek::broker_mgr->Active();
 		if ( ! ready.empty() )
 			{
@ -320,7 +306,7 @@ void net_run()
 			// date on timers and events.  Because we only
 			// have timers as sources, going to sleep here
 			// doesn't risk blocking on other inputs.
-			net_update_time(current_time());
+			update_network_time(zeek::util::current_time());
 			expire_timers();
 			}
@ -330,9 +316,7 @@ void net_run()
 		current_dispatched = 0;
 		current_iosrc = nullptr;
-		extern int signal_val;
+		if ( ::signal_val == SIGTERM || ::signal_val == SIGINT )
 		if ( signal_val == SIGTERM || signal_val == SIGINT )
 			// We received a signal while processing the
 			// current packet and its related events.
 			// Should we put the signal handling into an IOSource?
@ -347,7 +331,7 @@ void net_run()
 			{
 			auto have_active_packet_source = false;
-			iosource::PktSrc* ps = iosource_mgr->GetPktSrc();
+			zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
 			if ( ps && ps->IsOpen() )
 				have_active_packet_source = true;
@ -357,19 +341,19 @@ void net_run()
 			}
 		}
-	// Get the final statistics now, and not when net_finish() is
+	// Get the final statistics now, and not when finish_run() is
 	// called, since that might happen quite a bit in the future
 	// due to expiring pending timers, and we don't want to ding
 	// for any packets dropped beyond this point.
-	net_get_final_stats();
+	get_final_stats();
 	}
-void net_get_final_stats()
+void get_final_stats()
 	{
-	iosource::PktSrc* ps = iosource_mgr->GetPktSrc();
+	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
 	if ( ps && ps->IsLive() )
 		{
-		iosource::PktSrc::Stats s;
+		zeek::iosource::PktSrc::Stats s;
 		ps->Statistics(&s);
 		double dropped_pct = s.dropped > 0.0 ? ((double)s.dropped / ((double)s.received + (double)s.dropped)) * 100.0 : 0.0;
 		zeek::reporter->Info("%" PRIu64 " packets received on interface %s, %" PRIu64 " (%.2f%%) dropped",
@ -377,9 +361,9 @@ void net_get_final_stats()
 		}
 	}
-void net_finish(int drain_events)
+void finish_run(int drain_events)
 	{
-	set_processing_status("TERMINATING", "net_finish");
+	zeek::util::detail::set_processing_status("TERMINATING", "finish_run");
 	if ( drain_events )
 		{
@ -402,9 +386,9 @@ void net_finish(int drain_events)
 #endif
 	}
-void net_delete()
+void delete_run()
 	{
-	set_processing_status("TERMINATING", "net_delete");
+	zeek::util::detail::set_processing_status("TERMINATING", "delete_run");
 	delete zeek::sessions;
@ -412,9 +396,26 @@ void net_delete()
 		delete zeek::detail::ip_anonymizer[i];
 	}
-int _processing_suspended = 0;
+} // namespace detail
-void net_suspend_processing()
+bool reading_live = false;
 bool reading_traces = false;
 double pseudo_realtime = 0.0;
 double network_time = 0.0;	// time according to last packet timestamp
                            // (or current time)
 double processing_start_time = 0.0;	// time started working on current pkt
 double zeek_start_time = 0.0; // time Bro started.
 double zeek_start_network_time;	// timestamp of first packet
 bool terminating = false;	// whether we're done reading and finishing up
 bool is_parsing = false;
 const zeek::Packet *current_pkt = nullptr;
 int current_dispatched = 0;
 double current_timestamp = 0.0;
 static int _processing_suspended = 0;
 void suspend_processing()
 	{
 	if ( _processing_suspended == 0 )
 		zeek::reporter->Info("processing suspended");
@ -422,14 +423,37 @@ void net_suspend_processing()
 	++_processing_suspended;
 	}
-void net_continue_processing()
+void continue_processing()
 	{
 	if ( _processing_suspended == 1 )
 		{
 		zeek::reporter->Info("processing continued");
-		if ( iosource::PktSrc* ps = iosource_mgr->GetPktSrc() )
+		if ( zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc() )
 			ps->ContinueAfterSuspend();
 		}
 	--_processing_suspended;
 	}
 bool is_processing_suspended()	{ return _processing_suspended; }
 } // namespace zeek::run_state
 // Remove all of these in v4.1.
 zeek::iosource::PktSrc*& current_pktsrc = zeek::run_state::detail::current_pktsrc;
 zeek::iosource::IOSource*& current_iosrc = zeek::run_state::detail::current_iosrc;
 zeek::iosource::PktDumper*& pkt_dumper = zeek::run_state::detail::pkt_dumper;
 bool& have_pending_timers = zeek::run_state::detail::have_pending_timers;
 bool& reading_live = zeek::run_state::reading_live;
 bool& reading_traces = zeek::run_state::reading_traces;
 double& pseudo_realtime = zeek::run_state::pseudo_realtime;
 double& processing_start_time = zeek::run_state::processing_start_time;
 double& bro_start_time = zeek::run_state::zeek_start_time;
 double& bro_start_network_time = zeek::run_state::zeek_start_network_time;
 bool& terminating = zeek::run_state::terminating;
 bool& is_parsing = zeek::run_state::is_parsing;
 const zeek::Packet*& current_pkt = zeek::run_state::current_pkt;
 int& current_dispatched = zeek::run_state::current_dispatched;
 double& current_timestamp = zeek::run_state::current_timestamp;
--- a/src/RunState.h
+++ b/src/RunState.h
@ -0,0 +1,118 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 #include "zeek-config.h"
 #include <string>
 #include <optional>
 ZEEK_FORWARD_DECLARE_NAMESPACED(IOSource, zeek, iosource);
 ZEEK_FORWARD_DECLARE_NAMESPACED(PktSrc, zeek, iosource);
 ZEEK_FORWARD_DECLARE_NAMESPACED(PktDumper, zeek, iosource);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Packet, zeek);
 namespace zeek::run_state {
 namespace detail {
 extern void init_run(const std::optional<std::string>& interfaces,
                     const std::optional<std::string>& pcap_input_file,
                     const std::optional<std::string>& pcap_output_file,
                     bool do_watchdog);
 extern void run_loop();
 extern void get_final_stats();
 extern void finish_run(int drain_events);
 extern void delete_run();	// Reclaim all memory, etc.
 extern void update_network_time(double new_network_time);
 extern void dispatch_packet(double t, const zeek::Packet* pkt,
                            zeek::iosource::PktSrc* src_ps);
 extern void expire_timers(zeek::iosource::PktSrc* src_ps = nullptr);
 extern void zeek_terminate_loop(const char* reason);
 extern zeek::iosource::PktSrc* current_pktsrc;
 extern zeek::iosource::IOSource* current_iosrc;
 extern zeek::iosource::PktDumper* pkt_dumper;	// where to save packets
 // True if we have timers scheduled for the future on which we need
 // to wait.  "Need to wait" here means that we're running live (though
 // perhaps not reading_live, but just running in real-time) as opposed
 // to reading a trace (in which case we don't want to wait in real-time
 // on future timers).
 extern bool have_pending_timers;
 } // namespace detail
 // Functions to temporarily suspend processing of live input (network packets
 // and remote events/state). Turning this is on is sure to lead to data loss!
 extern void suspend_processing();
 extern void continue_processing();
 bool is_processing_suspended();
 // Whether we're reading live traffic.
 extern bool reading_live;
 // Same but for reading from traces instead.  We have two separate
 // variables because it's possible that neither is true, and we're
 // instead just running timers (per the variable after this one).
 extern bool reading_traces;
 // If > 0, we are reading from traces but trying to mimic real-time behavior.
 // (In this case, both reading_traces and reading_live are true.)  The value
 // is the speedup (1 = real-time, 0.5 = half real-time, etc.).
 extern double pseudo_realtime;
 // When we started processing the current packet and corresponding event
 // queue.
 extern double processing_start_time;
 // When the Bro process was started.
 extern double zeek_start_time;
 // Time at which the Bro process was started with respect to network time,
 // i.e. the timestamp of the first packet.
 extern double zeek_start_network_time;
 // Time according to last packet timestamp (or current time)
 extern double network_time;
 // True if we're a in the process of cleaning-up just before termination.
 extern bool terminating;
 // True if Bro is currently parsing scripts.
 extern bool is_parsing;
 extern const zeek::Packet* current_pkt;
 extern int current_dispatched;
 extern double current_timestamp;
 } // namespace zeek::run_state
 constexpr auto net_init [[deprecated("Remove in v4.1. Use zeek::run_state::detail::init_run.")]] = zeek::run_state::detail::init_run;
 constexpr auto net_run [[deprecated("Remove in v4.1. Use zeek::run_state::detail::run_run.")]] = zeek::run_state::detail::run_loop;
 constexpr auto net_get_final_stats [[deprecated("Remove in v4.1. Use zeek::run_state::detail::get_final_stats.")]] = zeek::run_state::detail::get_final_stats;
 constexpr auto net_finish [[deprecated("Remove in v4.1. Use zeek::run_state::detail::finish_run.")]] = zeek::run_state::detail::finish_run;
 constexpr auto net_delete [[deprecated("Remove in v4.1. Use zeek::run_state::detail::delete_run.")]] = zeek::run_state::detail::delete_run;
 constexpr auto net_update_time [[deprecated("Remove in v4.1. Use zeek::run_state::detail::update_network_time.")]] = zeek::run_state::detail::update_network_time;
 constexpr auto net_packet_dispatch [[deprecated("Remove in v4.1. Use zeek::run_state::detail::dispatch_packet.")]] = zeek::run_state::detail::dispatch_packet;
 constexpr auto expire_timers [[deprecated("Remove in v4.1. Use zeek::run_state::detail::expire_timers.")]] = zeek::run_state::detail::expire_timers;
 constexpr auto zeek_terminate_loop [[deprecated("Remove in v4.1. Use zeek::run_state::detail::zeek_terminate_loop.")]] = zeek::run_state::detail::zeek_terminate_loop;
 extern zeek::iosource::PktSrc*& current_pktsrc [[deprecated("Remove in v4.1. Use zeek::run_state::detail::current_pktsrc.")]];
 extern zeek::iosource::IOSource*& current_iosrc [[deprecated("Remove in v4.1. Use zeek::run_state::detail::current_iosrc.")]];
 extern zeek::iosource::PktDumper*& pkt_dumper [[deprecated("Remove in v4.1. Use zeek::run_state::detail::pkt_dumper.")]];
 extern bool& have_pending_timers [[deprecated("Remove in v4.1. Use zeek::run_state::detail::have_pending_timers.")]];
 constexpr auto net_suspend_processing [[deprecated("Remove in v4.1. Use zeek::run_state::suspend_processing.")]] = zeek::run_state::suspend_processing;
 constexpr auto net_continue_processing [[deprecated("Remove in v4.1. Use zeek::run_state::continue_processing.")]] = zeek::run_state::continue_processing;
 constexpr auto net_is_processing_suspended [[deprecated("Remove in v4.1. Use zeek::run_state::is_processing_suspended.")]] = zeek::run_state::is_processing_suspended;
 extern bool& reading_live [[deprecated("Remove in v4.1. Use zeek::run_state::reading_live.")]];
 extern bool& reading_traces [[deprecated("Remove in v4.1. Use zeek::run_state::reading_traces.")]];
 extern double& pseudo_realtime [[deprecated("Remove in v4.1. Use zeek::run_state::pseudo_realtime.")]];
 extern double& processing_start_time [[deprecated("Remove in v4.1. Use zeek::run_state::processing_start_time.")]];
 extern double& bro_start_time [[deprecated("Remove in v4.1. Use zeek::run_state::zeek_start_time.")]];
 extern double& bro_start_network_time [[deprecated("Remove in v4.1. Use zeek::run_state::zeek_start_network_time.")]];
 extern bool& terminating [[deprecated("Remove in v4.1. Use zeek::run_state::terminating.")]];
 extern bool& is_parsing [[deprecated("Remove in v4.1. Use zeek::run_state::is_parsing.")]];
 extern const zeek::Packet*& current_pkt [[deprecated("Remove in v4.1. Use zeek::run_state::current_pkt.")]];
 extern int& current_dispatched [[deprecated("Remove in v4.1. Use zeek::run_state::current_dispatched.")]];
 extern double& current_timestamp [[deprecated("Remove in v4.1. Use zeek::run_state::current_timestamp.")]];
--- a/src/ScannedFile.cc
+++ b/src/ScannedFile.cc
@ -0,0 +1,56 @@
 #include "ScannedFile.h"
 #include <sys/errno.h>
 #include <limits.h> // for PATH_MAX
 #include "DebugLogger.h"
 #include "Reporter.h"
 namespace zeek::detail {
 std::list<ScannedFile> files_scanned;
 std::vector<std::string> sig_files;
 ScannedFile::ScannedFile(int arg_include_level,
                         std::string arg_name,
                         bool arg_skipped,
                         bool arg_prefixes_checked)
 	: include_level(arg_include_level),
 	  skipped(arg_skipped),
 	  prefixes_checked(arg_prefixes_checked),
 	  name(std::move(arg_name))
 	{
 	if ( name == canonical_stdin_path )
 		canonical_path = canonical_stdin_path;
 	else
 		{
 		char buf[PATH_MAX];
 		auto res = realpath(name.data(), buf);
 		if ( ! res )
 			zeek::reporter->FatalError("failed to get realpath() of %s: %s",
 			                           name.data(), strerror(errno));
 		canonical_path = res;
 		}
 	}
 bool ScannedFile::AlreadyScanned() const
 	{
 	auto rval = false;
 	for ( const auto& it : files_scanned )
 		if ( it.canonical_path == canonical_path )
 			{
 			rval = true;
 			break;
 			}
 	DBG_LOG(zeek::DBG_SCRIPTS, "AlreadyScanned result (%d) %s", rval, canonical_path.data());
 	return rval;
 	}
 } // namespace zeek::detail
 std::list<zeek::detail::ScannedFile>& files_scanned = zeek::detail::files_scanned;
 std::vector<std::string>& sig_files = zeek::detail::sig_files;
--- a/src/ScannedFile.h
+++ b/src/ScannedFile.h
@ -0,0 +1,43 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 #include <string>
 #include <list>
 #include <vector>
 namespace zeek::detail {
 // Script file we have already scanned (or are in the process of scanning).
 // They are identified by normalized realpath.
 class ScannedFile {
 public:
 	ScannedFile(int arg_include_level,
 	            std::string arg_name, bool arg_skipped = false,
 	            bool arg_prefixes_checked = false);
 	/**
 	 * Compares the canonical path of this file against every canonical path
 	 * in files_scanned and returns whether there's any match.
 	 */
 	bool AlreadyScanned() const;
 	int include_level;
 	bool skipped;		// This ScannedFile was @unload'd.
 	bool prefixes_checked;	// If loading prefixes for this file has been tried.
 	std::string name;
 	std::string canonical_path; // normalized, absolute path via realpath()
 	static auto constexpr canonical_stdin_path = "<stdin>";
 };
 extern std::list<ScannedFile> files_scanned;
 extern std::vector<std::string> sig_files;
 } // namespace zeek::detail
 using ScannedFile [[deprecated("Remove in v4.1. Use zeek::detail::ScannedFile.")]] = zeek::detail::ScannedFile;
 extern std::list<zeek::detail::ScannedFile>& files_scanned [[deprecated("Remove in v4.1. Use zeek::detail::files_scanned.")]];
 extern std::vector<std::string>& sig_files [[deprecated("Remove in v4.1. Use zeek::detail::sig_files.")]];
--- a/src/Scope.h
+++ b/src/Scope.h
@ -8,7 +8,7 @@
 #include <map>
 #include "Obj.h"
-#include "BroList.h"
+#include "ZeekList.h"
 #include "IntrusivePtr.h"
 #include "TraverseTypes.h"
--- a/src/ScriptCoverageManager.cc
+++ b/src/ScriptCoverageManager.cc
@ -39,7 +39,7 @@ void ScriptCoverageManager::AddStmt(zeek::detail::Stmt* s)
 bool ScriptCoverageManager::ReadStats()
 	{
-	char* bf = zeekenv("ZEEK_PROFILER_FILE");
+	char* bf = zeek::util::zeekenv("ZEEK_PROFILER_FILE");
 	if ( ! bf )
 		return false;
@ -56,7 +56,7 @@ bool ScriptCoverageManager::ReadStats()
 	ss.clear();
 	std::vector<std::string> lines;
-	tokenize_string(file_contents, "\n", &lines);
+	zeek::util::tokenize_string(file_contents, "\n", &lines);
 	string delimiter;
 	delimiter = delim;
@ -66,7 +66,7 @@ bool ScriptCoverageManager::ReadStats()
 			continue;
 		std::vector<std::string> line_components;
-		tokenize_string(line, delimiter, &line_components);
+		zeek::util::tokenize_string(line, delimiter, &line_components);
 		if ( line_components.size() != 3 )
 			{
@ -80,7 +80,7 @@ bool ScriptCoverageManager::ReadStats()
 		pair<string, string> location_desc(std::move(location), std::move(desc));
 		uint64_t count;
-		atoi_n(cnt.size(), cnt.c_str(), nullptr, 10, count);
+		zeek::util::atoi_n(cnt.size(), cnt.c_str(), nullptr, 10, count);
 		usage_map.emplace(std::move(location_desc), count);
 		}
@ -89,14 +89,14 @@ bool ScriptCoverageManager::ReadStats()
 bool ScriptCoverageManager::WriteStats()
 	{
-	char* bf = zeekenv("ZEEK_PROFILER_FILE");
+	char* bf = zeek::util::zeekenv("ZEEK_PROFILER_FILE");
 	if ( ! bf )
 		return false;
-	SafeDirname dirname{bf};
+	zeek::util::SafeDirname dirname{bf};
-	if ( ! ensure_intermediate_dirs(dirname.result.data()) )
+	if ( ! zeek::util::detail::ensure_intermediate_dirs(dirname.result.data()) )
 		{
 		zeek::reporter->Error("Failed to open ZEEK_PROFILER_FILE destination '%s' for writing", bf);
 		return false;
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@ -45,7 +45,7 @@ void SerializationFormat::StartWrite()
 	if ( ! output )
 		{
-		output = (char*)safe_malloc(INITIAL_SIZE);
+		output = (char*)zeek::util::safe_malloc(INITIAL_SIZE);
 		output_size = INITIAL_SIZE;
 		}
@ -85,7 +85,7 @@ bool SerializationFormat::WriteData(const void* b, size_t count)
 	while ( output_pos + count > output_size )
 		output_size *= GROWTH_FACTOR;
-	output = (char*)safe_realloc(output, output_size);
+	output = (char*)zeek::util::safe_realloc(output, output_size);
 	memcpy(output + output_pos, b, count);
 	output_pos += count;
@ -180,7 +180,7 @@ bool BinarySerializationFormat::Read(double* d, const char* tag)
 bool BinarySerializationFormat::Read(char* v, const char* tag)
 	{
 	bool ret = ReadData(v, 1);
-	DBG_LOG(zeek::DBG_SERIAL, "Read char %s [%s]", fmt_bytes(v, 1), tag);
+	DBG_LOG(zeek::DBG_SERIAL, "Read char %s [%s]", zeek::util::fmt_bytes(v, 1), tag);
 	return ret;
 	}
@ -218,7 +218,7 @@ bool BinarySerializationFormat::Read(char** str, int* len, const char* tag)
 	*str = s;
-	DBG_LOG(zeek::DBG_SERIAL, "Read %d bytes |%s| [%s]", l, fmt_bytes(*str, l), tag);
+	DBG_LOG(zeek::DBG_SERIAL, "Read %d bytes |%s| [%s]", l, zeek::util::fmt_bytes(*str, l), tag);
 	return true;
 	}
@ -303,7 +303,7 @@ bool BinarySerializationFormat::Read(struct in6_addr* addr, const char* tag)
 bool BinarySerializationFormat::Write(char v, const char* tag)
 	{
-	DBG_LOG(zeek::DBG_SERIAL, "Write char %s [%s]", fmt_bytes(&v, 1), tag);
+	DBG_LOG(zeek::DBG_SERIAL, "Write char %s [%s]", zeek::util::fmt_bytes(&v, 1), tag);
 	return WriteData(&v, 1);
 	}
@ -434,7 +434,7 @@ bool BinarySerializationFormat::WriteSeparator()
 bool BinarySerializationFormat::Write(const char* buf, int len, const char* tag)
 	{
-	DBG_LOG(zeek::DBG_SERIAL, "Write bytes |%s| [%s]", fmt_bytes(buf, len), tag);
+	DBG_LOG(zeek::DBG_SERIAL, "Write bytes |%s| [%s]", zeek::util::fmt_bytes(buf, len), tag);
 	uint32_t l = htonl(len);
 	return WriteData(&l, sizeof(l)) && WriteData(buf, len);
 	}
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -11,7 +11,7 @@
 #include <unistd.h>
 #include "Desc.h"
-#include "Net.h"
+#include "RunState.h"
 #include "Event.h"
 #include "Timer.h"
 #include "NetVar.h"
@ -72,7 +72,7 @@ void IPTunnelTimer::Dispatch(double t, bool is_expire)
 NetSessions::NetSessions()
 	{
 	if ( stp_correlate_pair )
-		stp_manager = new ::analyzer::stepping_stone::SteppingStoneManager();
+		stp_manager = new zeek::analyzer::stepping_stone::SteppingStoneManager();
 	else
 		stp_manager = nullptr;
@ -89,14 +89,15 @@ NetSessions::NetSessions()
 	num_packets_processed = 0;
 	static auto pkt_profile_file = zeek::id::find_val("pkt_profile_file");
-	if ( pkt_profile_mode && pkt_profile_freq > 0 && pkt_profile_file )
+	if ( zeek::detail::pkt_profile_mode && zeek::detail::pkt_profile_freq > 0 && pkt_profile_file )
-		pkt_profiler = new zeek::detail::PacketProfiler(pkt_profile_mode,
+		pkt_profiler = new zeek::detail::PacketProfiler(zeek::detail::pkt_profile_mode,
-				pkt_profile_freq, pkt_profile_file->AsFile());
+		                                                zeek::detail::pkt_profile_freq,
 		                                                pkt_profile_file->AsFile());
 	else
 		pkt_profiler = nullptr;
 	if ( arp_request || arp_reply || bad_arp )
-		arp_analyzer = new ::analyzer::arp::ARP_Analyzer();
+		arp_analyzer = new zeek::analyzer::arp::ARP_Analyzer();
 	else
 		arp_analyzer = nullptr;
@ -139,7 +140,7 @@ void NetSessions::NextPacket(double t, const zeek::Packet* pkt)
 	dump_this_packet = false;
-	if ( record_all_packets )
+	if ( zeek::detail::record_all_packets )
 		DumpPacket(pkt);
 	if ( pkt->hdr_size > pkt->cap_len )
@ -188,7 +189,7 @@ void NetSessions::NextPacket(double t, const zeek::Packet* pkt)
 		}
-	if ( dump_this_packet && ! record_all_packets )
+	if ( dump_this_packet && ! zeek::detail::record_all_packets )
 		DumpPacket(pkt);
 	}
@ -275,7 +276,7 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 	if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) )
 		 return;
-	if ( ! pkt->l2_checksummed && ! ignore_checksums && ip4 &&
+	if ( ! pkt->l2_checksummed && ! zeek::detail::ignore_checksums && ip4 &&
 	     ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
 		{
 		Weird("bad_IP_checksum", pkt, encapsulation);
@ -403,9 +404,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 		const struct icmp* icmpp = (const struct icmp *) data;
 		id.src_port = icmpp->icmp_type;
-		id.dst_port = ::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
+		id.dst_port = zeek::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
-								icmpp->icmp_code,
+		                                                      icmpp->icmp_code,
-								id.is_one_way);
+		                                                      id.is_one_way);
 		id.src_port = htons(id.src_port);
 		id.dst_port = htons(id.dst_port);
@ -419,9 +420,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 		const struct icmp* icmpp = (const struct icmp *) data;
 		id.src_port = icmpp->icmp_type;
-		id.dst_port = ::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
+		id.dst_port = zeek::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
-								icmpp->icmp_code,
+		                                                      icmpp->icmp_code,
-								id.is_one_way);
+		                                                      id.is_one_way);
 		id.src_port = htons(id.src_port);
 		id.dst_port = htons(id.dst_port);
@ -450,7 +451,7 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 		if ( gre_version != 0 && gre_version != 1 )
 			{
 			Weird("unknown_gre_version", ip_hdr, encapsulation,
-			      fmt("%d", gre_version));
+			      zeek::util::fmt("%d", gre_version));
 			return;
 			}
@ -528,7 +529,7 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 				{
 				// Enhanced GRE payload must be PPP.
 				Weird("egre_protocol_type", ip_hdr, encapsulation,
-				      fmt("%d", proto_typ));
+				      zeek::util::fmt("%d", proto_typ));
 				return;
 				}
 			}
@ -632,11 +633,11 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 			{
 			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(),
 			                     tunnel_type);
-			ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time);
+			ip_tunnels[tunnel_idx] = TunnelActivity(ec, zeek::run_state::network_time);
-	        zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(network_time, tunnel_idx));
+	        zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(zeek::run_state::network_time, tunnel_idx));
 			}
 		else
-			it->second.second = network_time;
+			it->second.second = zeek::run_state::network_time;
 		if ( gre_version == 0 )
 			DoNextInnerPacket(t, pkt, caplen, len, data, gre_link_type,
@ -661,7 +662,7 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 		}
 	default:
-		Weird("unknown_protocol", pkt, encapsulation, fmt("%d", proto));
+		Weird("unknown_protocol", pkt, encapsulation, zeek::util::fmt("%d", proto));
 		return;
 	}
@ -758,9 +759,9 @@ void NetSessions::DoNextInnerPacket(double t, const zeek::Packet* pkt,
 		ts = pkt->ts;
 	else
 		{
-		ts.tv_sec = (time_t) network_time;
+		ts.tv_sec = (time_t) zeek::run_state::network_time;
 		ts.tv_usec = (suseconds_t)
-		    ((network_time - (double)ts.tv_sec) * 1000000);
+		    ((zeek::run_state::network_time - (double)ts.tv_sec) * 1000000);
 		}
 	const u_char* data = nullptr;
@ -796,9 +797,9 @@ void NetSessions::DoNextInnerPacket(double t, const zeek::Packet* pkt,
 		ts = pkt->ts;
 	else
 		{
-		ts.tv_sec = (time_t) network_time;
+		ts.tv_sec = (time_t) zeek::run_state::network_time;
 		ts.tv_usec = (suseconds_t)
-		    ((network_time - (double)ts.tv_sec) * 1000000);
+		    ((zeek::run_state::network_time - (double)ts.tv_sec) * 1000000);
 		}
 	EncapsulationStack* outer = prev ?
@ -1011,10 +1012,10 @@ void NetSessions::Remove(Connection* c)
 		if ( c->ConnTransport() == TRANSPORT_TCP )
 			{
-			auto ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
+			auto ta = static_cast<zeek::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
 			assert(ta->IsAnalyzer("TCP"));
-			::analyzer::tcp::TCP_Endpoint* to = ta->Orig();
+			zeek::analyzer::tcp::TCP_Endpoint* to = ta->Orig();
-			::analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
+			zeek::analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
 			tcp_stats.StateLeft(to->state, tr->state);
 			}
@ -1273,10 +1274,10 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port,
 			{
 			// The new connection is starting either without a SYN,
 			// or with a SYN ack. This means it's a partial connection.
-			if ( ! partial_connection_ok )
+			if ( ! zeek::detail::partial_connection_ok )
 				return false;
-			if ( tcp_flags & TH_SYN && ! tcp_SYN_ack_ok )
+			if ( tcp_flags & TH_SYN && ! zeek::detail::tcp_SYN_ack_ok )
 				return false;
 			// Try to guess true responder by the port numbers.
@ -1310,7 +1311,7 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port,
 void NetSessions::DumpPacket(const zeek::Packet *pkt, int len)
 	{
-	if ( ! pkt_dumper )
+	if ( ! zeek::run_state::detail::pkt_dumper )
 		return;
 	if ( len != 0 )
@ -1321,7 +1322,7 @@ void NetSessions::DumpPacket(const zeek::Packet *pkt, int len)
 			const_cast<zeek::Packet *>(pkt)->cap_len = len;
 		}
-	pkt_dumper->Dump(pkt);
+	zeek::run_state::detail::pkt_dumper->Dump(pkt);
 	}
 void NetSessions::Weird(const char* name, const zeek::Packet* pkt,
@ -1331,7 +1332,7 @@ void NetSessions::Weird(const char* name, const zeek::Packet* pkt,
 		dump_this_packet = true;
 	if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
-		zeek::reporter->Weird(fmt("%s_in_tunnel", name), addl);
+		zeek::reporter->Weird(zeek::util::fmt("%s_in_tunnel", name), addl);
 	else
 		zeek::reporter->Weird(name, addl);
 	}
@ -1341,7 +1342,7 @@ void NetSessions::Weird(const char* name, const zeek::IP_Hdr* ip,
 	{
 	if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
 		zeek::reporter->Weird(ip->SrcAddr(), ip->DstAddr(),
-		                      fmt("%s_in_tunnel", name), addl);
+		                      zeek::util::fmt("%s_in_tunnel", name), addl);
 	else
 		zeek::reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name, addl);
 	}
@ -1350,7 +1351,7 @@ unsigned int NetSessions::ConnectionMemoryUsage()
 	{
 	unsigned int mem = 0;
-	if ( terminating )
+	if ( zeek::run_state::terminating )
 		// Connections have been flushed already.
 		return 0;
@ -1370,7 +1371,7 @@ unsigned int NetSessions::ConnectionMemoryUsageConnVals()
 	{
 	unsigned int mem = 0;
-	if ( terminating )
+	if ( zeek::run_state::terminating )
 		// Connections have been flushed already.
 		return 0;
@ -1388,7 +1389,7 @@ unsigned int NetSessions::ConnectionMemoryUsageConnVals()
 unsigned int NetSessions::MemoryAllocation()
 	{
-	if ( terminating )
+	if ( zeek::run_state::terminating )
 		// Connections have been flushed already.
 		return 0;
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -23,9 +23,8 @@ namespace zeek { struct ConnID; }
 using ConnID [[deprecated("Remove in v4.1. Use zeek::ConnID.")]] = zeek::ConnID;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Discarder, zeek::detail);
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(SteppingStoneManager, zeek, analyzer::stepping_stone);
-namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
+ZEEK_FORWARD_DECLARE_NAMESPACED(ARP_Analyzer, zeek, analyzer::arp);
 namespace analyzer { namespace arp { class ARP_Analyzer; } }
 namespace zeek {
@ -91,11 +90,11 @@ public:
 	zeek::detail::PacketFilter* GetPacketFilter()
 		{
 		if ( ! packet_filter )
-			packet_filter = new zeek::detail::PacketFilter(packet_filter_default);
+			packet_filter = new zeek::detail::PacketFilter(detail::packet_filter_default);
 		return packet_filter;
 		}
-	::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
+	zeek::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
 	unsigned int CurrentConnections()
 		{
@ -172,7 +171,7 @@ public:
 	unsigned int ConnectionMemoryUsage();
 	unsigned int ConnectionMemoryUsageConnVals();
 	unsigned int MemoryAllocation();
-	::analyzer::tcp::TCPStateStats tcp_stats;	// keeps statistics on TCP states
+	zeek::analyzer::tcp::TCPStateStats tcp_stats;	// keeps statistics on TCP states
 protected:
 	friend class ConnCompressor;
@ -235,9 +234,9 @@ protected:
 	using IPTunnelMap = std::map<IPPair, TunnelActivity>;
 	IPTunnelMap ip_tunnels;
-	::analyzer::arp::ARP_Analyzer* arp_analyzer;
+	zeek::analyzer::arp::ARP_Analyzer* arp_analyzer;
-	::analyzer::stepping_stone::SteppingStoneManager* stp_manager;
+	zeek::analyzer::stepping_stone::SteppingStoneManager* stp_manager;
 	zeek::detail::Discarder* discarder;
 	zeek::detail::PacketFilter* packet_filter;
 	uint64_t num_packets_processed;
--- a/src/SmithWaterman.cc
+++ b/src/SmithWaterman.cc
@ -359,7 +359,7 @@ static void sw_collect_multiple(Substring::Vec* result,
 						{
 						if ( (*it2)->DoesCover(*it3) )
 							{
-							delete_each(new_al);
+							zeek::util::delete_each(new_al);
 							delete new_al;
 							new_al = nullptr;
 							goto end_loop;
@ -367,7 +367,7 @@ static void sw_collect_multiple(Substring::Vec* result,
 						if ( (*it3)->DoesCover(*it2) )
 							{
-							delete_each(old_al);
+							zeek::util::delete_each(old_al);
 							delete old_al;
 							*it = 0;
 							goto end_loop;
--- a/src/Stats.cc
+++ b/src/Stats.cc
@ -3,7 +3,7 @@
 #include "Conn.h"
 #include "File.h"
 #include "Event.h"
-#include "Net.h"
+#include "RunState.h"
 #include "NetVar.h"
 #include "ID.h"
 #include "Sessions.h"
@ -51,7 +51,7 @@ void ProfileTimer::Dispatch(double t, bool is_expire)
 	// Reinstall timer.
 	if ( ! is_expire )
-		zeek::detail::timer_mgr->Add(new ProfileTimer(network_time + interval,
+		zeek::detail::timer_mgr->Add(new ProfileTimer(zeek::run_state::network_time + interval,
 		                                              logger, interval));
 	}
@ -71,11 +71,11 @@ ProfileLogger::~ProfileLogger()
 void ProfileLogger::Log()
 	{
-	if ( terminating )
+	if ( zeek::run_state::terminating )
 		// Connections have been flushed already.
 		return;
-	file->Write(fmt("%.06f ------------------------\n", network_time));
+	file->Write(zeek::util::fmt("%.06f ------------------------\n", zeek::run_state::network_time));
 	// Do expensive profiling only occasionally.
 	bool expensive = false;
@ -90,14 +90,14 @@ void ProfileLogger::Log()
 	struct timeval tv_stime = r.ru_stime;
 	uint64_t total, malloced;
-	get_memory_usage(&total, &malloced);
+	zeek::util::get_memory_usage(&total, &malloced);
 	static unsigned int first_total = 0;
 	static double first_rtime = 0;
 	static double first_utime = 0;
 	static double first_stime = 0;
-	double rtime = current_time();
+	double rtime = zeek::util::current_time();
 	double utime = double(tv_utime.tv_sec) + double(tv_utime.tv_usec) / 1e6;
 	double stime = double(tv_stime.tv_sec) + double(tv_stime.tv_usec) / 1e6;
@ -108,27 +108,27 @@ void ProfileLogger::Log()
 		first_utime = utime;
 		first_stime = stime;
-		file->Write(fmt("%.06f Command line: ", network_time ));
+		file->Write(zeek::util::fmt("%.06f Command line: ", zeek::run_state::network_time ));
-		for ( int i = 0; i < bro_argc; i++ )
+		for ( int i = 0; i < zeek_argc; i++ )
 			{
-			file->Write(bro_argv[i]);
+			file->Write(zeek_argv[i]);
 			file->Write(" ");
 			}
-		file->Write(fmt("\n%.06f ------------------------\n", network_time));
+		file->Write(zeek::util::fmt("\n%.06f ------------------------\n", zeek::run_state::network_time));
 		}
-	file->Write(fmt("%.06f Memory: total=%" PRId64 "K total_adj=%" PRId64 "K malloced: %" PRId64 "K\n",
+	file->Write(zeek::util::fmt("%.06f Memory: total=%" PRId64 "K total_adj=%" PRId64 "K malloced: %" PRId64 "K\n",
-		network_time, total / 1024, (total - first_total) / 1024,
+		zeek::run_state::network_time, total / 1024, (total - first_total) / 1024,
 		malloced / 1024));
-	file->Write(fmt("%.06f Run-time: user+sys=%.1f user=%.1f sys=%.1f real=%.1f\n",
+	file->Write(zeek::util::fmt("%.06f Run-time: user+sys=%.1f user=%.1f sys=%.1f real=%.1f\n",
-		network_time, (utime + stime) - (first_utime + first_stime),
+		zeek::run_state::network_time, (utime + stime) - (first_utime + first_stime),
 		utime - first_utime, stime - first_stime, rtime - first_rtime));
 	int conn_mem_use = expensive ? sessions->ConnectionMemoryUsage() : 0;
-	file->Write(fmt("%.06f Conns: total=%" PRIu64 " current=%" PRIu64 "/%" PRIi32 " mem=%" PRIi32 "K avg=%.1f table=%" PRIu32 "K connvals=%" PRIu32 "K\n",
+	file->Write(zeek::util::fmt("%.06f Conns: total=%" PRIu64 " current=%" PRIu64 "/%" PRIi32 " mem=%" PRIi32 "K avg=%.1f table=%" PRIu32 "K connvals=%" PRIu32 "K\n",
-		network_time,
+		zeek::run_state::network_time,
 		Connection::TotalConnections(),
 		Connection::CurrentConnections(),
 		sessions->CurrentConnections(),
@ -141,20 +141,20 @@ void ProfileLogger::Log()
 	SessionStats s;
 	sessions->GetStats(s);
-	file->Write(fmt("%.06f Conns: tcp=%zu/%zu udp=%zu/%zu icmp=%zu/%zu\n",
+	file->Write(zeek::util::fmt("%.06f Conns: tcp=%zu/%zu udp=%zu/%zu icmp=%zu/%zu\n",
-		network_time,
+		zeek::run_state::network_time,
 		s.num_TCP_conns, s.max_TCP_conns,
 		s.num_UDP_conns, s.max_UDP_conns,
 		s.num_ICMP_conns, s.max_ICMP_conns
 		));
 	sessions->tcp_stats.PrintStats(file,
-			fmt("%.06f TCP-States:", network_time));
+			zeek::util::fmt("%.06f TCP-States:", zeek::run_state::network_time));
 	// Alternatively, if you prefer more compact output...
 	/*
-	file->Write(fmt("%.8f TCP-States: I=%d S=%d SA=%d SR=%d E=%d EF=%d ER=%d F=%d P=%d\n",
+	file->Write(zeek::util::fmt("%.8f TCP-States: I=%d S=%d SA=%d SR=%d E=%d EF=%d ER=%d F=%d P=%d\n",
-		       network_time,
+		       zeek::run_state::network_time,
 		       sessions->tcp_stats.StateInactive(),
 		       sessions->tcp_stats.StateRequest(),
 		       sessions->tcp_stats.StateSuccRequest(),
@ -167,10 +167,10 @@ void ProfileLogger::Log()
 		       ));
 	*/
-	file->Write(fmt("%.06f Connections expired due to inactivity: %" PRIu64 "\n",
+	file->Write(zeek::util::fmt("%.06f Connections expired due to inactivity: %" PRIu64 "\n",
-		network_time, killed_by_inactivity));
+		zeek::run_state::network_time, killed_by_inactivity));
-	file->Write(fmt("%.06f Total reassembler data: %" PRIu64 "K\n", network_time,
+	file->Write(zeek::util::fmt("%.06f Total reassembler data: %" PRIu64 "K\n", zeek::run_state::network_time,
 		Reassembler::TotalMemoryAllocation() / 1024));
 	// Signature engine.
@ -179,49 +179,49 @@ void ProfileLogger::Log()
 		zeek::detail::RuleMatcher::Stats stats;
 		zeek::detail::rule_matcher->GetStats(&stats);
-		file->Write(fmt("%06f RuleMatcher: matchers=%d nfa_states=%d dfa_states=%d "
+		file->Write(zeek::util::fmt("%06f RuleMatcher: matchers=%d nfa_states=%d dfa_states=%d "
-			"ncomputed=%d mem=%dK\n", network_time, stats.matchers,
+			"ncomputed=%d mem=%dK\n", zeek::run_state::network_time, stats.matchers,
 			stats.nfa_states, stats.dfa_states, stats.computed, stats.mem / 1024));
 		}
-	file->Write(fmt("%.06f Timers: current=%d max=%d lag=%.2fs\n",
+	file->Write(zeek::util::fmt("%.06f Timers: current=%d max=%d lag=%.2fs\n",
-	                network_time,
+	                zeek::run_state::network_time,
 	                zeek::detail::timer_mgr->Size(), zeek::detail::timer_mgr->PeakSize(),
-	                network_time - zeek::detail::timer_mgr->LastTimestamp()));
+	                zeek::run_state::network_time - zeek::detail::timer_mgr->LastTimestamp()));
 	zeek::detail::DNS_Mgr::Stats dstats;
 	zeek::detail::dns_mgr->GetStats(&dstats);
-	file->Write(fmt("%.06f DNS_Mgr: requests=%lu succesful=%lu failed=%lu pending=%lu cached_hosts=%lu cached_addrs=%lu\n",
+	file->Write(zeek::util::fmt("%.06f DNS_Mgr: requests=%lu succesful=%lu failed=%lu pending=%lu cached_hosts=%lu cached_addrs=%lu\n",
-					network_time,
+					zeek::run_state::network_time,
 					dstats.requests, dstats.successful, dstats.failed, dstats.pending,
 					dstats.cached_hosts, dstats.cached_addresses));
 	zeek::detail::trigger::Manager::Stats tstats;
-	trigger_mgr->GetStats(&tstats);
+	zeek::detail::trigger_mgr->GetStats(&tstats);
-	file->Write(fmt("%.06f Triggers: total=%lu pending=%lu\n", network_time, tstats.total, tstats.pending));
+	file->Write(zeek::util::fmt("%.06f Triggers: total=%lu pending=%lu\n", zeek::run_state::network_time, tstats.total, tstats.pending));
 	unsigned int* current_timers = zeek::detail::TimerMgr::CurrentTimers();
 	for ( int i = 0; i < zeek::detail::NUM_TIMER_TYPES; ++i )
 		{
 		if ( current_timers[i] )
-			file->Write(fmt("%.06f         %s = %d\n", network_time,
+			file->Write(zeek::util::fmt("%.06f         %s = %d\n", zeek::run_state::network_time,
 			                zeek::detail::timer_type_to_string(static_cast<zeek::detail::TimerType>(i)),
 			                current_timers[i]));
 		}
-	file->Write(fmt("%0.6f Threads: current=%d\n", network_time, thread_mgr->NumThreads()));
+	file->Write(zeek::util::fmt("%0.6f Threads: current=%d\n", zeek::run_state::network_time, zeek::thread_mgr->NumThreads()));
-	const threading::Manager::msg_stats_list& thread_stats = thread_mgr->GetMsgThreadStats();
+	const threading::Manager::msg_stats_list& thread_stats = zeek::thread_mgr->GetMsgThreadStats();
 	for ( threading::Manager::msg_stats_list::const_iterator i = thread_stats.begin();
 	      i != thread_stats.end(); ++i )
 		{
 		threading::MsgThread::Stats s = i->second;
-		file->Write(fmt("%0.6f   %-25s in=%" PRIu64 " out=%" PRIu64 " pending=%" PRIu64 "/%" PRIu64
+		file->Write(zeek::util::fmt("%0.6f   %-25s in=%" PRIu64 " out=%" PRIu64 " pending=%" PRIu64 "/%" PRIu64
 				" (#queue r/w: in=%" PRIu64 "/%" PRIu64 " out=%" PRIu64 "/%" PRIu64 ")"
 			        "\n",
-			    network_time,
+			    zeek::run_state::network_time,
 			    i->first.c_str(),
 			    s.sent_in, s.sent_out,
 			    s.pending_in, s.pending_out,
@ -232,12 +232,12 @@ void ProfileLogger::Log()
 	auto cs = broker_mgr->GetStatistics();
-	file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu "
+	file->Write(zeek::util::fmt("%0.6f Comm: peers=%zu stores=%zu "
 			"pending_queries=%zu "
 			"events_in=%zu events_out=%zu "
 			"logs_in=%zu logs_out=%zu "
 			"ids_in=%zu ids_out=%zu ",
-			network_time, cs.num_peers, cs.num_stores,
+			zeek::run_state::network_time, cs.num_peers, cs.num_stores,
 			cs.num_pending_queries,
 			cs.num_events_incoming, cs.num_events_outgoing,
 			cs.num_logs_incoming, cs.num_logs_outgoing,
@ -253,8 +253,8 @@ void ProfileLogger::Log()
 		int total_table_entries = 0;
 		int total_table_rentries = 0;
-		file->Write(fmt("%.06f Global_sizes > 100k: %dK\n",
+		file->Write(zeek::util::fmt("%.06f Global_sizes > 100k: %dK\n",
-				network_time, mem / 1024));
+				zeek::run_state::network_time, mem / 1024));
 		for ( const auto& global : globals )
 			{
@ -294,12 +294,12 @@ void ProfileLogger::Log()
 				if ( print )
 					{
-					file->Write(fmt("%.06f                %s = %dK",
+					file->Write(zeek::util::fmt("%.06f                %s = %dK",
-						network_time, id->Name(),
+						zeek::run_state::network_time, id->Name(),
 						size / 1024));
 					if ( entries >= 0 )
-						file->Write(fmt(" (%d/%d entries)\n",
+						file->Write(zeek::util::fmt(" (%d/%d entries)\n",
 							entries, rentries));
 					else
 						file->Write("\n");
@ -307,10 +307,10 @@ void ProfileLogger::Log()
 				}
 			}
-		file->Write(fmt("%.06f Global_sizes total: %dK\n",
+		file->Write(zeek::util::fmt("%.06f Global_sizes total: %dK\n",
-				network_time, mem / 1024));
+				zeek::run_state::network_time, mem / 1024));
-		file->Write(fmt("%.06f Total number of table entries: %d/%d\n",
+		file->Write(zeek::util::fmt("%.06f Total number of table entries: %d/%d\n",
-				network_time,
+				zeek::run_state::network_time,
 				total_table_entries, total_table_rentries));
 		}
@ -329,17 +329,17 @@ void ProfileLogger::SegmentProfile(const char* name, const zeek::detail::Locatio
                                   double dtime, int dmem)
 	{
 	if ( name )
-		file->Write(fmt("%.06f segment-%s dt=%.06f dmem=%d\n",
+		file->Write(zeek::util::fmt("%.06f segment-%s dt=%.06f dmem=%d\n",
-				network_time, name, dtime, dmem));
+				zeek::run_state::network_time, name, dtime, dmem));
 	else if ( loc )
-		file->Write(fmt("%.06f segment-%s:%d dt=%.06f dmem=%d\n",
+		file->Write(zeek::util::fmt("%.06f segment-%s:%d dt=%.06f dmem=%d\n",
-				network_time,
+				zeek::run_state::network_time,
 				loc->filename ? loc->filename : "nofile",
 				loc->first_line,
 				dtime, dmem));
 	else
-		file->Write(fmt("%.06f segment-XXX dt=%.06f dmem=%d\n",
+		file->Write(zeek::util::fmt("%.06f segment-XXX dt=%.06f dmem=%d\n",
-				network_time, dtime, dmem));
+				zeek::run_state::network_time, dtime, dmem));
 	}
@ -442,7 +442,7 @@ void PacketProfiler::ProfilePkt(double t, unsigned int bytes)
 		getrusage(RUSAGE_SELF, &res);
 		gettimeofday(&ptimestamp, 0);
-		get_memory_usage(&last_mem, nullptr);
+		zeek::util::get_memory_usage(&last_mem, nullptr);
 		last_Utime = res.ru_utime.tv_sec + res.ru_utime.tv_usec / 1e6;
 		last_Stime = res.ru_stime.tv_sec + res.ru_stime.tv_usec / 1e6;
 		last_Rtime = ptimestamp.tv_sec + ptimestamp.tv_usec / 1e6;
@ -466,14 +466,14 @@ void PacketProfiler::ProfilePkt(double t, unsigned int bytes)
 			ptimestamp.tv_sec + ptimestamp.tv_usec / 1e6;
 		uint64_t curr_mem;
-		get_memory_usage(&curr_mem, nullptr);
+		zeek::util::get_memory_usage(&curr_mem, nullptr);
-		file->Write(fmt("%.06f %.03f %" PRIu64 " %" PRIu64 " %.03f %.03f %.03f %" PRIu64 "\n",
+		file->Write(zeek::util::fmt("%.06f %.03f %" PRIu64 " %" PRIu64 " %.03f %.03f %.03f %" PRIu64 "\n",
-				t, time-last_timestamp, pkt_cnt, byte_cnt,
+		                            t, time-last_timestamp, pkt_cnt, byte_cnt,
-				curr_Rtime - last_Rtime,
+		                            curr_Rtime - last_Rtime,
-				curr_Utime - last_Utime,
+		                            curr_Utime - last_Utime,
-				curr_Stime - last_Stime,
+		                            curr_Stime - last_Stime,
-				curr_mem - last_mem));
+		                            curr_mem - last_mem));
 		last_Utime = curr_Utime;
 		last_Stime = curr_Stime;
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@ -21,7 +21,9 @@
 #include "logging/Manager.h"
 #include "logging/logging.bif.h"
-const char* stmt_name(BroStmtTag t)
+namespace zeek::detail {
 const char* stmt_name(StmtTag t)
 	{
 	static const char* stmt_names[int(NUM_STMTS)] = {
 		"alarm", // Does no longer exist, but kept for keeping enums consistent.
@ -35,9 +37,7 @@ const char* stmt_name(BroStmtTag t)
 	return stmt_names[int(t)];
 	}
-namespace zeek::detail {
+Stmt::Stmt(StmtTag arg_tag)
 Stmt::Stmt(BroStmtTag arg_tag)
 	{
 	tag = arg_tag;
 	breakpoint_count = 0;
@ -143,7 +143,7 @@ void Stmt::AccessStats(ODesc* d) const
 	if ( d->IncludeStats() )
 		{
 		d->Add("(@");
-		d->Add(last_access ? fmt_access_time(last_access) : "<never>");
+		d->Add(last_access ? zeek::util::detail::fmt_access_time(last_access) : "<never>");
 		d->Add(" #");
 		d->Add(access_count);
 		d->Add(")");
@ -151,10 +151,10 @@ void Stmt::AccessStats(ODesc* d) const
 		}
 	}
-ExprListStmt::ExprListStmt(BroStmtTag t, ListExprPtr arg_l)
+ExprListStmt::ExprListStmt(StmtTag t, ListExprPtr arg_l)
 	: Stmt(t), l(std::move(arg_l))
 	{
-	const expr_list& e = l->Exprs();
+	const ExprPList& e = l->Exprs();
 	for ( const auto& expr : e )
 		{
 		const auto& t = expr->GetType();
@ -167,9 +167,9 @@ ExprListStmt::ExprListStmt(BroStmtTag t, ListExprPtr arg_l)
 ExprListStmt::~ExprListStmt() = default;
-ValPtr ExprListStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr ExprListStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
-	last_access = network_time;
+	last_access = zeek::run_state::network_time;
 	flow = FLOW_NEXT;
 	auto vals = eval_list(f, l.get());
@ -192,7 +192,7 @@ TraversalCode ExprListStmt::Traverse(TraversalCallback* cb) const
 	TraversalCode tc = cb->PreStmt(this);
 	HANDLE_TC_STMT_PRE(tc);
-	const expr_list& e = l->Exprs();
+	const ExprPList& e = l->Exprs();
 	for ( const auto& expr : e )
 		{
 		tc = expr->Traverse(cb);
@ -233,13 +233,13 @@ static void print_log(const std::vector<ValPtr>& vals)
 		vec->Assign(vec->Size(), zeek::make_intrusive<zeek::StringVal>(d.Description()));
 		}
-	record->Assign(0, zeek::make_intrusive<zeek::TimeVal>(network_time));
+	record->Assign(0, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::network_time));
 	record->Assign(1, std::move(vec));
-	log_mgr->Write(plval.get(), record.get());
+	zeek::log_mgr->Write(plval.get(), record.get());
 	}
 ValPtr PrintStmt::DoExec(std::vector<ValPtr> vals,
-                         stmt_flow_type& /* flow */) const
+                         StmtFlowType& /* flow */) const
 	{
 	RegisterAccess();
@ -316,7 +316,7 @@ ExprStmt::ExprStmt(ExprPtr arg_e) : Stmt(STMT_EXPR), e(std::move(arg_e))
 	SetLocationInfo(e->GetLocationInfo());
 	}
-ExprStmt::ExprStmt(BroStmtTag t, ExprPtr arg_e) : Stmt(t), e(std::move(arg_e))
+ExprStmt::ExprStmt(StmtTag t, ExprPtr arg_e) : Stmt(t), e(std::move(arg_e))
 	{
 	if ( e )
 		SetLocationInfo(e->GetLocationInfo());
@ -324,7 +324,7 @@ ExprStmt::ExprStmt(BroStmtTag t, ExprPtr arg_e) : Stmt(t), e(std::move(arg_e))
 ExprStmt::~ExprStmt() = default;
-ValPtr ExprStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr ExprStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -337,7 +337,7 @@ ValPtr ExprStmt::Exec(Frame* f, stmt_flow_type& flow) const
 		return nullptr;
 	}
-ValPtr ExprStmt::DoExec(Frame* /* f */, Val* /* v */, stmt_flow_type& /* flow */) const
+ValPtr ExprStmt::DoExec(Frame* /* f */, Val* /* v */, StmtFlowType& /* flow */) const
 	{
 	return nullptr;
 	}
@ -399,7 +399,7 @@ IfStmt::IfStmt(ExprPtr test,
 IfStmt::~IfStmt() = default;
-ValPtr IfStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
+ValPtr IfStmt::DoExec(Frame* f, Val* v, StmtFlowType& flow) const
 	{
 	// Treat 0 as false, but don't require 1 for true.
 	Stmt* do_stmt = v->IsZero() ? s2.get() : s1.get();
@ -467,7 +467,7 @@ TraversalCode IfStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-static BroStmtTag get_last_stmt_tag(const Stmt* stmt)
+static StmtTag get_last_stmt_tag(const Stmt* stmt)
 	{
 	if ( ! stmt )
 		return STMT_NULL;
@ -484,12 +484,12 @@ static BroStmtTag get_last_stmt_tag(const Stmt* stmt)
 	return get_last_stmt_tag(stmts->Stmts()[len - 1]);
 	}
-Case::Case(ListExprPtr arg_expr_cases, id_list* arg_type_cases,
+Case::Case(ListExprPtr arg_expr_cases, IDPList* arg_type_cases,
           StmtPtr arg_s)
 	: expr_cases(std::move(arg_expr_cases)), type_cases(arg_type_cases),
 	  s(std::move(arg_s))
 	{
-	BroStmtTag t = get_last_stmt_tag(Body());
+	StmtTag t = get_last_stmt_tag(Body());
 	if ( t != STMT_BREAK && t != STMT_FALLTHROUGH && t != STMT_RETURN )
 		Error("case block must end in break/fallthrough/return statement");
@ -525,7 +525,7 @@ void Case::Describe(ODesc* d) const
 	if ( expr_cases )
 		{
-		const expr_list& e = expr_cases->Exprs();
+		const ExprPList& e = expr_cases->Exprs();
 		d->AddCount(e.length());
@ -541,7 +541,7 @@ void Case::Describe(ODesc* d) const
 	if ( type_cases )
 		{
-		const id_list& t = *type_cases;
+		const IDPList& t = *type_cases;
 		d->AddCount(t.length());
@ -622,7 +622,7 @@ SwitchStmt::SwitchStmt(ExprPtr index, case_list* arg_cases)
 		{
 		Case* c = (*cases)[i];
 		ListExpr* le = c->ExprCases();
-		id_list* tl = c->TypeCases();
+		IDPList* tl = c->TypeCases();
 		if ( le )
 			{
@ -637,7 +637,7 @@ SwitchStmt::SwitchStmt(ExprPtr index, case_list* arg_cases)
 				continue;
 				}
-			expr_list& exprs = le->Exprs();
+			ExprPList& exprs = le->Exprs();
 			loop_over_list(exprs, j)
 				{
@ -817,7 +817,7 @@ std::pair<int, ID*> SwitchStmt::FindCaseLabelMatch(const Val* v) const
 		return std::make_pair(label_idx, label_id);
 	}
-ValPtr SwitchStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
+ValPtr SwitchStmt::DoExec(Frame* f, Val* v, StmtFlowType& flow) const
 	{
 	ValPtr rval;
@ -913,7 +913,7 @@ bool AddStmt::IsPure() const
 	return false;
 	}
-ValPtr AddStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr AddStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -949,7 +949,7 @@ bool DelStmt::IsPure() const
 	return false;
 	}
-ValPtr DelStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr DelStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -975,7 +975,7 @@ EventStmt::EventStmt(EventExprPtr arg_e)
 	{
 	}
-ValPtr EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr EventStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	auto args = eval_list(f, event_expr->Args());
@ -1052,7 +1052,7 @@ TraversalCode WhileStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-ValPtr WhileStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr WhileStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -1081,7 +1081,7 @@ ValPtr WhileStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	return rval;
 	}
-ForStmt::ForStmt(id_list* arg_loop_vars, ExprPtr loop_expr)
+ForStmt::ForStmt(IDPList* arg_loop_vars, ExprPtr loop_expr)
 	: ExprStmt(STMT_FOR, std::move(loop_expr))
 	{
 	loop_vars = arg_loop_vars;
@ -1163,7 +1163,7 @@ ForStmt::ForStmt(id_list* arg_loop_vars, ExprPtr loop_expr)
 		e->Error("target to iterate over must be a table, set, vector, or string");
 	}
-ForStmt::ForStmt(id_list* arg_loop_vars,
+ForStmt::ForStmt(IDPList* arg_loop_vars,
                 ExprPtr loop_expr, IDPtr val_var)
 	: ForStmt(arg_loop_vars, std::move(loop_expr))
 	{
@ -1195,7 +1195,7 @@ ForStmt::~ForStmt()
 	delete loop_vars;
 	}
-ValPtr ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
+ValPtr ForStmt::DoExec(Frame* f, Val* v, StmtFlowType& flow) const
 	{
 	ValPtr ret;
@ -1353,7 +1353,7 @@ TraversalCode ForStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-ValPtr NextStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+ValPtr NextStmt::Exec(Frame* /* f */, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_LOOP;
@ -1380,7 +1380,7 @@ TraversalCode NextStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-ValPtr BreakStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+ValPtr BreakStmt::Exec(Frame* /* f */, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_BREAK;
@ -1407,7 +1407,7 @@ TraversalCode BreakStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-ValPtr FallthroughStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+ValPtr FallthroughStmt::Exec(Frame* /* f */, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_FALLTHROUGH;
@ -1478,7 +1478,7 @@ ReturnStmt::ReturnStmt(ExprPtr arg_e)
 		}
 	}
-ValPtr ReturnStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr ReturnStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_RETURN;
@ -1517,7 +1517,7 @@ StmtList::~StmtList()
 		Unref(stmt);
 	}
-ValPtr StmtList::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr StmtList::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -1596,7 +1596,7 @@ TraversalCode StmtList::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-ValPtr EventBodyList::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr EventBodyList::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -1621,7 +1621,7 @@ ValPtr EventBodyList::Exec(Frame* f, stmt_flow_type& flow) const
 		}
 	// Simulate a return so the hooks operate properly.
-	stmt_flow_type ft = FLOW_RETURN;
+	StmtFlowType ft = FLOW_RETURN;
 	(void) post_execute_stmt(f->GetNextStmt(), f, nullptr, &ft);
 	return nullptr;
@ -1662,7 +1662,7 @@ InitStmt::InitStmt(std::vector<IDPtr> arg_inits) : Stmt(STMT_INIT)
 		SetLocationInfo(inits[0]->GetLocationInfo());
 	}
-ValPtr InitStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr InitStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -1727,7 +1727,7 @@ TraversalCode InitStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
-ValPtr NullStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+ValPtr NullStmt::Exec(Frame* /* f */, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
@ -1782,7 +1782,7 @@ WhenStmt::WhenStmt(ExprPtr arg_cond,
 WhenStmt::~WhenStmt() = default;
-ValPtr WhenStmt::Exec(Frame* f, stmt_flow_type& flow) const
+ValPtr WhenStmt::Exec(Frame* f, StmtFlowType& flow) const
 	{
 	RegisterAccess();
 	flow = FLOW_NEXT;
--- a/src/Stmt.h
+++ b/src/Stmt.h
@ -4,7 +4,7 @@
 // BRO statements.
-#include "BroList.h"
+#include "ZeekList.h"
 #include "Dict.h"
 #include "ID.h"
 #include "Obj.h"
@ -16,6 +16,8 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
 namespace zeek::run_state { extern double network_time; }
 namespace zeek::detail {
 class StmtList;
@ -31,11 +33,11 @@ using StmtPtr = zeek::IntrusivePtr<Stmt>;
 class Stmt : public Obj {
 public:
-	BroStmtTag Tag() const	{ return tag; }
+	StmtTag Tag() const	{ return tag; }
 	~Stmt() override;
-	virtual ValPtr Exec(Frame* f, stmt_flow_type& flow) const = 0;
+	virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
 	Stmt* Ref()			{ zeek::Ref(this); return this; }
@ -51,7 +53,7 @@ public:
 	ForStmt* AsForStmt();
-	void RegisterAccess() const	{ last_access = network_time; access_count++; }
+	void RegisterAccess() const	{ last_access = zeek::run_state::network_time; access_count++; }
 	void AccessStats(ODesc* d) const;
 	uint32_t GetAccessCount() const { return access_count; }
@ -65,12 +67,12 @@ public:
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 protected:
-	explicit Stmt(BroStmtTag arg_tag);
+	explicit Stmt(StmtTag arg_tag);
 	void AddTag(ODesc* d) const;
 	void DescribeDone(ODesc* d) const;
-	BroStmtTag tag;
+	StmtTag tag;
 	int breakpoint_count;	// how many breakpoints on this statement
 	// FIXME: Learn the exact semantics of mutable.
@ -85,13 +87,13 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
-	ExprListStmt(BroStmtTag t, ListExprPtr arg_l);
+	ExprListStmt(StmtTag t, ListExprPtr arg_l);
 	~ExprListStmt() override;
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	virtual ValPtr DoExec(std::vector<ValPtr> vals,
-	                      stmt_flow_type& flow) const = 0;
+	                      StmtFlowType& flow) const = 0;
 	void Describe(ODesc* d) const override;
@ -105,7 +107,7 @@ public:
 protected:
 	ValPtr DoExec(std::vector<ValPtr> vals,
-	              stmt_flow_type& flow) const override;
+	              StmtFlowType& flow) const override;
 };
 class ExprStmt : public Stmt {
@ -113,7 +115,7 @@ public:
 	explicit ExprStmt(ExprPtr e);
 	~ExprStmt() override;
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	const Expr* StmtExpr() const	{ return e.get(); }
@ -122,9 +124,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
-	ExprStmt(BroStmtTag t, ExprPtr e);
+	ExprStmt(StmtTag t, ExprPtr e);
-	virtual ValPtr DoExec(Frame* f, Val* v, stmt_flow_type& flow) const;
+	virtual ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const;
 	bool IsPure() const override;
@ -144,7 +146,7 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
-	ValPtr DoExec(Frame* f, Val* v, stmt_flow_type& flow) const override;
+	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	StmtPtr s1;
@ -153,14 +155,14 @@ protected:
 class Case final : public Obj {
 public:
-	Case(ListExprPtr c, id_list* types, StmtPtr arg_s);
+	Case(ListExprPtr c, IDPList* types, StmtPtr arg_s);
 	~Case() override;
 	const ListExpr* ExprCases() const	{ return expr_cases.get(); }
 	ListExpr* ExprCases()		{ return expr_cases.get(); }
-	const id_list* TypeCases() const	{ return type_cases; }
+	const IDPList* TypeCases() const	{ return type_cases; }
-	id_list* TypeCases()		{ return type_cases; }
+	IDPList* TypeCases()		{ return type_cases; }
 	const Stmt* Body() const	{ return s.get(); }
 	Stmt* Body()			{ return s.get(); }
@ -171,7 +173,7 @@ public:
 protected:
 	ListExprPtr expr_cases;
-	id_list* type_cases;
+	IDPList* type_cases;
 	StmtPtr s;
 };
@ -189,7 +191,7 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
-	ValPtr DoExec(Frame* f, Val* v, stmt_flow_type& flow) const override;
+	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	// Initialize composite hash and case label map.
@ -223,7 +225,7 @@ public:
 	explicit AddStmt(ExprPtr e);
 	bool IsPure() const override;
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 };
@ -233,7 +235,7 @@ public:
 	explicit DelStmt(ExprPtr e);
 	bool IsPure() const override;
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 };
@ -242,7 +244,7 @@ class EventStmt final : public ExprStmt {
 public:
 	explicit EventStmt(EventExprPtr e);
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
@ -263,7 +265,7 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	ExprPtr loop_condition;
 	StmtPtr body;
@ -271,14 +273,14 @@ protected:
 class ForStmt final : public ExprStmt {
 public:
-	ForStmt(id_list* loop_vars, ExprPtr loop_expr);
+	ForStmt(IDPList* loop_vars, ExprPtr loop_expr);
 	// Special constructor for key value for loop.
-	ForStmt(id_list* loop_vars, ExprPtr loop_expr, IDPtr val_var);
+	ForStmt(IDPList* loop_vars, ExprPtr loop_expr, IDPtr val_var);
 	~ForStmt() override;
 	void AddBody(StmtPtr arg_body)	{ body = std::move(arg_body); }
-	const id_list* LoopVar() const	{ return loop_vars; }
+	const IDPList* LoopVar() const	{ return loop_vars; }
 	const Expr* LoopExpr() const	{ return e.get(); }
 	const Stmt* LoopBody() const	{ return body.get(); }
@ -289,9 +291,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
-	ValPtr DoExec(Frame* f, Val* v, stmt_flow_type& flow) const override;
+	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
-	id_list* loop_vars;
+	IDPList* loop_vars;
 	StmtPtr body;
 	// Stores the value variable being used for a key value for loop.
 	// Always set to nullptr unless special constructor is called.
@ -302,7 +304,7 @@ class NextStmt final : public Stmt {
 public:
 	NextStmt() : Stmt(STMT_NEXT)	{ }
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	void Describe(ODesc* d) const override;
@ -316,7 +318,7 @@ class BreakStmt final : public Stmt {
 public:
 	BreakStmt() : Stmt(STMT_BREAK)	{ }
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	void Describe(ODesc* d) const override;
@ -330,7 +332,7 @@ class FallthroughStmt final : public Stmt {
 public:
 	FallthroughStmt() : Stmt(STMT_FALLTHROUGH)	{ }
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	void Describe(ODesc* d) const override;
@ -344,7 +346,7 @@ class ReturnStmt final : public ExprStmt {
 public:
 	explicit ReturnStmt(ExprPtr e);
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	void Describe(ODesc* d) const override;
 };
@ -354,10 +356,10 @@ public:
 	StmtList();
 	~StmtList() override;
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
-	const stmt_list& Stmts() const	{ return stmts; }
+	const StmtPList& Stmts() const	{ return stmts; }
-	stmt_list& Stmts()		{ return stmts; }
+	StmtPList& Stmts()		{ return stmts; }
 	void Describe(ODesc* d) const override;
@ -366,7 +368,7 @@ public:
 protected:
 	bool IsPure() const override;
-	stmt_list stmts;
+	StmtPList stmts;
 };
 class EventBodyList final : public StmtList {
@ -374,7 +376,7 @@ public:
 	EventBodyList() : StmtList()
 		{ topmost = false; tag = STMT_EVENT_BODY_LIST; }
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	void Describe(ODesc* d) const override;
@ -390,7 +392,7 @@ class InitStmt final : public Stmt {
 public:
 	explicit InitStmt(std::vector<IDPtr> arg_inits);
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	const std::vector<IDPtr>& Inits() const
 		{ return inits; }
@ -407,7 +409,7 @@ class NullStmt final : public Stmt {
 public:
 	NullStmt() : Stmt(STMT_NULL)	{ }
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	void Describe(ODesc* d) const override;
@ -423,7 +425,7 @@ public:
 	         ExprPtr timeout, bool is_return);
 	~WhenStmt() override;
-	ValPtr Exec(Frame* f, stmt_flow_type& flow) const override;
+	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 	const Expr* Cond() const	{ return cond.get(); }
@ -443,7 +445,7 @@ protected:
 	bool is_return;
 };
-}
+} // namespace zeek::detail
 using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;
 using ExprListStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprListStmt instead.")]] = zeek::detail::ExprListStmt;
--- a/src/StmtEnums.h
+++ b/src/StmtEnums.h
@ -1,10 +1,11 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
-// These are in a separate file to break circular dependences 
+namespace zeek::detail {
-typedef enum {
+
 // These are in a separate file to break circular dependences
 enum StmtTag {
 	STMT_ANY = -1,
 	STMT_ALARM, // Does no longer exist but kept to create enums consistent.
 	STMT_PRINT, STMT_EVENT,
@ -19,14 +20,47 @@ typedef enum {
 	STMT_WHILE,
 	STMT_NULL
 #define NUM_STMTS (int(STMT_NULL) + 1)
-} BroStmtTag;
+};
-typedef enum {
+enum StmtFlowType {
 	FLOW_NEXT,		// continue on to next statement
 	FLOW_LOOP,		// go to top of loop
 	FLOW_BREAK,		// break out of loop
 	FLOW_RETURN,		// return from function
 	FLOW_FALLTHROUGH	// fall through to next switch case
-} stmt_flow_type;
+};
-extern const char* stmt_name(BroStmtTag t);
+extern const char* stmt_name(StmtTag t);
 } // namespace zeek::detail
 using BroStmtTag [[deprecated("Remove in v4.1. Use zeek::detail::StmtTag.")]] = zeek::detail::StmtTag;
 constexpr auto STMT_ANY [[deprecated("Remove in v4.1. Use zeek::detail::STMT_ANY.")]] = zeek::detail::STMT_ANY;
 constexpr auto STMT_ALARM [[deprecated("Remove in v4.1. Use zeek::detail::STMT_ALARM.")]] = zeek::detail::STMT_ALARM;
 constexpr auto STMT_PRINT [[deprecated("Remove in v4.1. Use zeek::detail::STMT_PRINT.")]] = zeek::detail::STMT_PRINT;
 constexpr auto STMT_EVENT [[deprecated("Remove in v4.1. Use zeek::detail::STMT_EVENT.")]] = zeek::detail::STMT_EVENT;
 constexpr auto STMT_EXPR [[deprecated("Remove in v4.1. Use zeek::detail::STMT_EXPR.")]] = zeek::detail::STMT_EXPR;
 constexpr auto STMT_IF [[deprecated("Remove in v4.1. Use zeek::detail::STMT_IF.")]] = zeek::detail::STMT_IF;
 constexpr auto STMT_WHEN [[deprecated("Remove in v4.1. Use zeek::detail::STMT_WHEN.")]] = zeek::detail::STMT_WHEN;
 constexpr auto STMT_SWITCH [[deprecated("Remove in v4.1. Use zeek::detail::STMT_SWITCH.")]] = zeek::detail::STMT_SWITCH;
 constexpr auto STMT_FOR [[deprecated("Remove in v4.1. Use zeek::detail::STMT_FOR.")]] = zeek::detail::STMT_FOR;
 constexpr auto STMT_NEXT [[deprecated("Remove in v4.1. Use zeek::detail::STMT_NEXT.")]] = zeek::detail::STMT_NEXT;
 constexpr auto STMT_BREAK [[deprecated("Remove in v4.1. Use zeek::detail::STMT_BREAK.")]] = zeek::detail::STMT_BREAK;
 constexpr auto STMT_RETURN [[deprecated("Remove in v4.1. Use zeek::detail::STMT_RETURN.")]] = zeek::detail::STMT_RETURN;
 constexpr auto STMT_ADD [[deprecated("Remove in v4.1. Use zeek::detail::STMT_ADD.")]] = zeek::detail::STMT_ADD;
 constexpr auto STMT_DELETE [[deprecated("Remove in v4.1. Use zeek::detail::STMT_DELETE.")]] = zeek::detail::STMT_DELETE;
 constexpr auto STMT_LIST [[deprecated("Remove in v4.1. Use zeek::detail::STMT_LIST.")]] = zeek::detail::STMT_LIST;
 constexpr auto STMT_EVENT_BODY_LIST [[deprecated("Remove in v4.1. Use zeek::detail::STMT_EVENT_BODY_LIST.")]] = zeek::detail::STMT_EVENT_BODY_LIST;
 constexpr auto STMT_INIT [[deprecated("Remove in v4.1. Use zeek::detail::STMT_INIT.")]] = zeek::detail::STMT_INIT;
 constexpr auto STMT_FALLTHROUGH [[deprecated("Remove in v4.1. Use zeek::detail::STMT_FALLTHROUGH.")]] = zeek::detail::STMT_FALLTHROUGH;
 constexpr auto STMT_WHILE [[deprecated("Remove in v4.1. Use zeek::detail::STMT_WHILE.")]] = zeek::detail::STMT_WHILE;
 constexpr auto STMT_NULL [[deprecated("Remove in v4.1. Use zeek::detail::STMT_NULL.")]] = zeek::detail::STMT_NULL;
 using stmt_flow_type [[deprecated("Remove in v4.1. Use zeek::detail::StmtFlowType.")]] = zeek::detail::StmtFlowType;
 constexpr auto FLOW_NEXT [[deprecated("Remove in v4.1. Use zeek::detail::FLOW_NEXT.")]] = zeek::detail::FLOW_NEXT;
 constexpr auto FLOW_LOOP [[deprecated("Remove in v4.1. Use zeek::detail::FLOW_LOOP.")]] = zeek::detail::FLOW_LOOP;
 constexpr auto FLOW_BREAK [[deprecated("Remove in v4.1. Use zeek::detail::FLOW_BREAK.")]] = zeek::detail::FLOW_BREAK;
 constexpr auto FLOW_RETURN [[deprecated("Remove in v4.1. Use zeek::detail::FLOW_RETURN.")]] = zeek::detail::FLOW_RETURN;
 constexpr auto FLOW_FALLTHROUGH [[deprecated("Remove in v4.1. Use zeek::detail::FLOW_FALLTHROUGH.")]] = zeek::detail::FLOW_FALLTHROUGH;
 constexpr auto stmt_name [[deprecated("Remove in v4.1. Use zeek::detail::stmt_name.")]] = zeek::detail::stmt_name;
--- a/src/Tag.cc
+++ b/src/Tag.cc
@ -92,7 +92,7 @@ zeek::EnumVal* Tag::AsEnumVal(zeek::EnumType* etype) const
 std::string Tag::AsString() const
 	{
-	return fmt("%" PRIu32 "/%" PRIu32, type, subtype);
+	return zeek::util::fmt("%" PRIu32 "/%" PRIu32, type, subtype);
 	}
 } // namespace zeek
--- a/src/Timer.cc
+++ b/src/Timer.cc
@ -5,7 +5,7 @@
 #include "util.h"
 #include "Timer.h"
 #include "Desc.h"
-#include "Net.h"
+#include "RunState.h"
 #include "NetVar.h"
 #include "broker/Manager.h"
 #include "iosource/Manager.h"
@ -69,8 +69,8 @@ TimerMgr::TimerMgr()
 	num_expired = 0;
 	last_advance = last_timestamp = 0;
-	if ( iosource_mgr )
+	if ( zeek::iosource_mgr )
-		iosource_mgr->Register(this, true);
+		zeek::iosource_mgr->Register(this, true);
 	}
 TimerMgr::~TimerMgr()
@ -95,19 +95,20 @@ void TimerMgr::Process()
 	// If we don't have a source, or the source is closed, or we're reading live (which includes
 	// pseudo-realtime), advance the timer here to the current time since otherwise it won't
 	// move forward and the timers won't fire correctly.
-	iosource::PktSrc* pkt_src = iosource_mgr->GetPktSrc();
+	iosource::PktSrc* pkt_src = zeek::iosource_mgr->GetPktSrc();
-	if ( ! pkt_src || ! pkt_src->IsOpen() || reading_live || net_is_processing_suspended() )
+	if ( ! pkt_src || ! pkt_src->IsOpen() || zeek::run_state::reading_live || zeek::run_state::is_processing_suspended() )
-		net_update_time(current_time());
+		zeek::run_state::detail::update_network_time(zeek::util::current_time());
 	// Just advance the timer manager based on the current network time. This won't actually
 	// change the time, but will dispatch any timers that need dispatching.
-	current_dispatched += Advance(network_time, max_timer_expires - current_dispatched);
+	zeek::run_state::current_dispatched += Advance(
 		zeek::run_state::network_time, max_timer_expires - zeek::run_state::current_dispatched);
 	}
 void TimerMgr::InitPostScript()
 	{
-	if ( iosource_mgr )
+	if ( zeek::iosource_mgr )
-		iosource_mgr->Register(this, true);
+		zeek::iosource_mgr->Register(this, true);
 	}
 PQ_TimerMgr::PQ_TimerMgr() : TimerMgr()
@ -185,7 +186,7 @@ double PQ_TimerMgr::GetNextTimeout()
 	{
 	Timer* top = Top();
 	if ( top )
-		return std::max(0.0, top->Time() - ::network_time);
+		return std::max(0.0, top->Time() - zeek::run_state::network_time);
 	return -1;
 	}
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@ -85,12 +85,12 @@ TraversalCode zeek::detail::trigger::TriggerTraversalCallback::PreExpr(const zee
 class TriggerTimer final : public Timer {
 public:
 	TriggerTimer(double arg_timeout, Trigger* arg_trigger)
-	: Timer(network_time + arg_timeout, TIMER_TRIGGER)
+	: Timer(zeek::run_state::network_time + arg_timeout, TIMER_TRIGGER)
 		{
 		Ref(arg_trigger);
 		trigger = arg_trigger;
 		timeout = arg_timeout;
-		time = network_time;
+		time = zeek::run_state::network_time;
 		}
 	~TriggerTimer()
@ -296,7 +296,7 @@ bool Trigger::Eval()
 			Name());
 	v = nullptr;
-	stmt_flow_type flow;
+	StmtFlowType flow;
 	try
 		{
@ -313,7 +313,7 @@ bool Trigger::Eval()
 		assert(trigger->attached == this);
 #ifdef DEBUG
-		const char* pname = copy_string(trigger->Name());
+		const char* pname = zeek::util::copy_string(trigger->Name());
 		DBG_LOG(zeek::DBG_NOTIFIERS, "%s: trigger has parent %s, caching result", Name(), pname);
 		delete [] pname;
 #endif
@ -347,7 +347,7 @@ void Trigger::Timeout()
 	DBG_LOG(zeek::DBG_NOTIFIERS, "%s: timeout", Name());
 	if ( timeout_stmts )
 		{
-		stmt_flow_type flow;
+		StmtFlowType flow;
 		FramePtr f{zeek::AdoptRef{}, frame->Clone()};
 		ValPtr v;
@ -366,7 +366,7 @@ void Trigger::Timeout()
 			assert(trigger->attached == this);
 #ifdef DEBUG
-			const char* pname = copy_string(trigger->Name());
+			const char* pname = zeek::util::copy_string(trigger->Name());
 			DBG_LOG(zeek::DBG_NOTIFIERS, "%s: trigger has parent %s, caching timeout result", Name(), pname);
 			delete [] pname;
 #endif
@ -388,7 +388,7 @@ void Trigger::Timeout()
 void Trigger::Register(zeek::detail::ID* id)
 	{
 	assert(! disabled);
-	notifier::registry.Register(id, this);
+	zeek::notifier::detail::registry.Register(id, this);
 	Ref(id);
 	objs.push_back({id, id});
@ -400,7 +400,7 @@ void Trigger::Register(Val* val)
 		return;
 	assert(! disabled);
-	notifier::registry.Register(val->Modifiable(), this);
+	zeek::notifier::detail::registry.Register(val->Modifiable(), this);
 	Ref(val);
 	objs.emplace_back(val, val->Modifiable());
@ -412,7 +412,7 @@ void Trigger::UnregisterAll()
 	for ( const auto& o : objs )
 		{
-		notifier::registry.Unregister(o.second, this);
+		zeek::notifier::detail::registry.Unregister(o.second, this);
 		Unref(o.first);
 		}
@ -426,7 +426,7 @@ void Trigger::Attach(Trigger *trigger)
 	assert(! trigger->delayed);
 #ifdef DEBUG
-	const char* pname = copy_string(trigger->Name());
+	const char* pname = zeek::util::copy_string(trigger->Name());
 	DBG_LOG(zeek::DBG_NOTIFIERS, "%s: attaching to %s", Name(), pname);
 	delete [] pname;
 #endif
@ -454,7 +454,7 @@ bool Trigger::Cache(const zeek::detail::CallExpr* expr, Val* v)
 	Ref(v);
-	trigger_mgr->Queue(this);
+	zeek::detail::trigger_mgr->Queue(this);
 	return true;
 	}
@ -478,24 +478,24 @@ void Trigger::Describe(ODesc* d) const
 	d->Add("<trigger>");
 	}
-void Trigger::Modified(notifier::Modifiable* m)
+void Trigger::Modified(zeek::notifier::detail::Modifiable* m)
 	{
-	trigger_mgr->Queue(this);
+	zeek::detail::trigger_mgr->Queue(this);
 	}
 const char* Trigger::Name() const
 	{
 	assert(location);
-	return fmt("%s:%d-%d", location->filename,
+	return zeek::util::fmt("%s:%d-%d", location->filename,
-			location->first_line, location->last_line);
+	                       location->first_line, location->last_line);
 	}
-Manager::Manager() : IOSource()
+Manager::Manager() : zeek::iosource::IOSource()
 	{
 	pending = new TriggerList();
-	iosource_mgr->Register(this, true);
+	zeek::iosource_mgr->Register(this, true);
 	}
 Manager::~Manager()
@ -505,7 +505,7 @@ Manager::~Manager()
 double Manager::GetNextTimeout()
 	{
-	return pending->empty() ? -1 : network_time + 0.100;
+	return pending->empty() ? -1 : zeek::run_state::network_time + 0.100;
 	}
 void Manager::Process()
@ -540,7 +540,7 @@ void Manager::Queue(Trigger* trigger)
 		Ref(trigger);
 		pending->push_back(trigger);
 		total_triggers++;
-		iosource_mgr->Wakeup(Tag());
+		zeek::iosource_mgr->Wakeup(Tag());
 		}
 	}
--- a/src/Trigger.h
+++ b/src/Trigger.h
@ -18,7 +18,9 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Expr, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(CallExpr, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(ID, zeek::detail);
-namespace zeek::detail::trigger {
+namespace zeek::detail {
 namespace trigger {
 // Triggers are the heart of "when" statements: expressions that when
 // they become true execute a body of statements.
@ -26,7 +28,7 @@ namespace zeek::detail::trigger {
 class TriggerTimer;
 class TriggerTraversalCallback;
-class Trigger final : public Obj, public notifier::Receiver {
+class Trigger final : public Obj, public zeek::notifier::detail::Receiver {
 public:
 	// Don't access Trigger objects; they take care of themselves after
 	// instantiation.  Note that if the condition is already true, the
@ -76,7 +78,7 @@ public:
 	// Overidden from Notifier.  We queue the trigger and evaluate it
 	// later to avoid race conditions.
-	void Modified(notifier::Modifiable* m) override;
+	void Modified(zeek::notifier::detail::Modifiable* m) override;
 	// Overridden from notifer::Receiver.  If we're still waiting
 	// on an ID/Val to be modified at termination time, we can't hope
@ -109,7 +111,7 @@ private:
 	bool delayed; // true if a function call is currently being delayed
 	bool disabled;
-	std::vector<std::pair<Obj *, notifier::Modifiable*>> objs;
+	std::vector<std::pair<Obj *, zeek::notifier::detail::Modifiable*>> objs;
 	using ValCache = std::map<const zeek::detail::CallExpr*, Val*>;
 	ValCache cache;
@ -117,7 +119,7 @@ private:
 using TriggerPtr = zeek::IntrusivePtr<Trigger>;
-class Manager final : public iosource::IOSource {
+class Manager final : public zeek::iosource::IOSource {
 public:
 	Manager();
@ -143,11 +145,17 @@ private:
 	unsigned long total_triggers = 0;
 	};
-}
+} // namespace trigger
 extern trigger::Manager* trigger_mgr;
 } // namespace zeek::detail
 namespace trigger {
 	using Trigger [[deprecated("Remove in v4.1. Use zeek::detail::trigger::Trigger instead")]] = zeek::detail::trigger::Trigger;
 	using Manager [[deprecated("Remove in v4.1. Use zeek::detail::trigger::Manager instead")]] = zeek::detail::trigger::Manager;
 }
-extern zeek::detail::trigger::Manager* trigger_mgr;
+using Trigger [[deprecated("Remove in v4.1. Use zeek::detail::trigger::Trigger.")]] = zeek::detail::trigger::Trigger;
 using Manager [[deprecated("Remove in v4.1. Use zeek::detail::trigger::Manager.")]] = zeek::detail::trigger::Manager;
 } // namespace trigger
 extern zeek::detail::trigger::Manager*& trigger_mgr [[deprecated("Remove in v4.1. Use zeek::detail::trigger_mgr.")]];
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@ -13,7 +13,7 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
 	{
 	if ( ! uid )
 		{
-		uid.Set(bits_per_uid);
+		uid.Set(zeek::detail::bits_per_uid);
 		c->SetUID(uid);
 		}
 	}
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@ -46,7 +46,7 @@ public:
 	                  BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP)
 		: src_addr(s), dst_addr(d), src_port(0), dst_port(0),
 		  proto(TRANSPORT_UNKNOWN), type(t),
-		  uid(zeek::UID(bits_per_uid))
+		  uid(zeek::UID(detail::bits_per_uid))
 		{
 		}
--- a/src/Type.cc
+++ b/src/Type.cc
@ -266,7 +266,7 @@ void Type::Describe(ODesc* d) const
 void Type::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(fmt(":zeek:type:`%s`", type_name(Tag())));
+	d->Add(zeek::util::fmt(":zeek:type:`%s`", type_name(Tag())));
 	}
 void Type::SetError()
@ -339,7 +339,7 @@ unsigned int TypeList::MemoryAllocation() const
 	for ( const auto& t : types )
 		size += t->MemoryAllocation();
-	size += pad_size(types.capacity() * sizeof(decltype(types)::value_type));
+	size += zeek::util::pad_size(types.capacity() * sizeof(decltype(types)::value_type));
 	return Type::MemoryAllocation()
 		+ padded_sizeof(*this) - padded_sizeof(Type)
@ -350,7 +350,7 @@ int IndexType::MatchesIndex(zeek::detail::ListExpr* const index) const
 	{
 	// If we have a type indexed by subnets, addresses are ok.
 	const auto& types = indices->GetTypes();
-	const expr_list& exprs = index->Exprs();
+	const ExprPList& exprs = index->Exprs();
 	if ( types.size() == 1 && types[0]->Tag() == TYPE_SUBNET &&
 	     exprs.length() == 1 && exprs[0]->GetType()->Tag() == TYPE_ADDR )
@ -553,8 +553,8 @@ FuncType::FuncType(RecordTypePtr arg_args,
 		else if ( has_default_arg )
 			{
-			const char* err_str = fmt("required parameter '%s' must precede "
+			const char* err_str = zeek::util::fmt("required parameter '%s' must precede "
-			                          "default parameters", td->id);
+			                                      "default parameters", td->id);
 			args->Error(err_str);
 			}
@ -603,7 +603,7 @@ int FuncType::MatchesIndex(zeek::detail::ListExpr* const index) const
 			MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
 	}
-bool FuncType::CheckArgs(const type_list* args, bool is_init) const
+bool FuncType::CheckArgs(const TypePList* args, bool is_init) const
 	{
 	std::vector<TypePtr> as;
 	as.reserve(args->length());
@ -621,8 +621,8 @@ bool FuncType::CheckArgs(const std::vector<TypePtr>& args,
 	if ( my_args.size() != args.size() )
 		{
-		Warn(fmt("Wrong number of arguments for function. Expected %zu, got %zu.",
+		Warn(zeek::util::fmt("Wrong number of arguments for function. Expected %zu, got %zu.",
-		         args.size(), my_args.size()));
+		                     args.size(), my_args.size()));
 		return false;
 		}
@ -631,8 +631,8 @@ bool FuncType::CheckArgs(const std::vector<TypePtr>& args,
 	for ( size_t i = 0; i < my_args.size(); ++i )
 		if ( ! same_type(args[i], my_args[i], is_init) )
 			{
-			Warn(fmt("Type mismatch in function argument #%zu. Expected %s, got %s.",
+			Warn(zeek::util::fmt("Type mismatch in function argument #%zu. Expected %s, got %s.",
-				i, type_name(args[i]->Tag()), type_name(my_args[i]->Tag())));
+			                     i, type_name(args[i]->Tag()), type_name(my_args[i]->Tag())));
 			success = false;
 			}
@ -719,7 +719,7 @@ std::optional<FuncType::Prototype> FuncType::FindPrototype(const RecordType& arg
 			const auto& desired_type = args.GetFieldType(i);
 			if ( ! same_type(ptype, desired_type) ||
-			     ! streq(args.FieldName(i), p.args->FieldName(i)) )
+			     ! zeek::util::streq(args.FieldName(i), p.args->FieldName(i)) )
 				{
 				matched = false;
 				break;
@ -744,7 +744,7 @@ TypeDecl::TypeDecl(const TypeDecl& other)
 	type = other.type;
 	attrs = other.attrs;
-	id = copy_string(other.id);
+	id = zeek::util::copy_string(other.id);
 	}
 TypeDecl::~TypeDecl()
@ -821,7 +821,7 @@ int RecordType::FieldOffset(const char* field) const
 	loop_over_list(*types, i)
 		{
 		TypeDecl* td = (*types)[i];
-		if ( streq(td->id, field) )
+		if ( zeek::util::streq(td->id, field) )
 			return i;
 		}
@ -1045,7 +1045,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 			d->Add("<recursion>");
 		else
 			{
-			if ( num_fields == 1 && streq(td->id, "va_args") &&
+			if ( num_fields == 1 && zeek::util::streq(td->id, "va_args") &&
 			     td->type->Tag() == TYPE_ANY )
 				// This was a BIF using variable argument list
 				d->Add("...");
@ -1056,8 +1056,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		if ( func_args )
 			continue;
-		using zeekygen::IdentifierInfo;
+		zeek::zeekygen::detail::IdentifierInfo* doc = zeek::detail::zeekygen_mgr->GetIdentifierInfo(GetName());
 		IdentifierInfo* doc = zeekygen_mgr->GetIdentifierInfo(GetName());
 		if ( ! doc )
 			{
@ -1076,7 +1075,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		     field_from_script != type_from_script )
 			{
 			d->PushIndent();
-			d->Add(zeekygen::redef_indication(field_from_script).c_str());
+			d->Add(zeek::zeekygen::detail::redef_indication(field_from_script).c_str());
 			d->PopIndent();
 			}
@ -1096,7 +1095,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 				{
 				string s = cmnts[i];
-				if ( zeekygen::prettify_params(s) )
+				if ( zeek::zeekygen::detail::prettify_params(s) )
 					d->NL();
 				d->Add(s.c_str());
@ -1122,11 +1121,11 @@ string RecordType::GetFieldDeprecationWarning(int field, bool has_check) const
 			result = deprecation->DeprecationMessage();
 		if ( result.empty() )
-			return fmt("deprecated (%s%s$%s)", GetName().c_str(), has_check ? "?" : "",
+			return zeek::util::fmt("deprecated (%s%s$%s)", GetName().c_str(), has_check ? "?" : "",
-				FieldName(field));
+			                       FieldName(field));
 		else
-			return fmt("deprecated (%s%s$%s): %s", GetName().c_str(), has_check ? "?" : "",
+			return zeek::util::fmt("deprecated (%s%s$%s): %s", GetName().c_str(), has_check ? "?" : "",
-				FieldName(field), result.c_str());
+			                       FieldName(field), result.c_str());
 		}
 	return "";
@ -1182,7 +1181,7 @@ void OpaqueType::Describe(ODesc* d) const
 void OpaqueType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str()));
+	d->Add(zeek::util::fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str()));
 	}
 EnumType::EnumType(const string& name)
@ -1248,7 +1247,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
 		return;
 		}
-	auto fullname = make_full_var_name(module_name.c_str(), name);
+	auto fullname = zeek::detail::make_full_var_name(module_name.c_str(), name);
 	auto id = zeek::id::find(fullname);
 	if ( ! id )
@ -1260,7 +1259,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
 		if ( deprecation )
 			id->MakeDeprecated({zeek::NewRef{}, deprecation});
-		zeekygen_mgr->Identifier(std::move(id));
+		zeek::detail::zeekygen_mgr->Identifier(std::move(id));
 		}
 	else
 		{
@ -1299,14 +1298,14 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
 void EnumType::AddNameInternal(const string& module_name, const char* name,
                               bro_int_t val, bool is_export)
 	{
-	string fullname = make_full_var_name(module_name.c_str(), name);
+	string fullname = zeek::detail::make_full_var_name(module_name.c_str(), name);
 	names[fullname] = val;
 	}
 bro_int_t EnumType::Lookup(const string& module_name, const char* name) const
 	{
 	NameMap::const_iterator pos =
-		names.find(make_full_var_name(module_name.c_str(), name).c_str());
+		names.find(zeek::detail::make_full_var_name(module_name.c_str(), name).c_str());
 	if ( pos == names.end() )
 		return -1;
@ -1373,12 +1372,11 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 		d->PushIndent();
 		if ( roles_only )
-			d->Add(fmt(":zeek:enum:`%s`", it->second.c_str()));
+			d->Add(zeek::util::fmt(":zeek:enum:`%s`", it->second.c_str()));
 		else
-			d->Add(fmt(".. zeek:enum:: %s %s", it->second.c_str(), GetName().c_str()));
+			d->Add(zeek::util::fmt(".. zeek:enum:: %s %s", it->second.c_str(), GetName().c_str()));
-		using zeekygen::IdentifierInfo;
+		zeek::zeekygen::detail::IdentifierInfo* doc = zeek::detail::zeekygen_mgr->GetIdentifierInfo(it->second);
 		IdentifierInfo* doc = zeekygen_mgr->GetIdentifierInfo(it->second);
 		if ( ! doc )
 			{
@ -1393,7 +1391,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 		if ( doc->GetDeclaringScript() )
 			enum_from_script = doc->GetDeclaringScript()->Name();
-		IdentifierInfo* type_doc = zeekygen_mgr->GetIdentifierInfo(GetName());
+		zeek::zeekygen::detail::IdentifierInfo* type_doc = zeek::detail::zeekygen_mgr->GetIdentifierInfo(GetName());
 		if ( type_doc && type_doc->GetDeclaringScript() )
 			type_from_script = type_doc->GetDeclaringScript()->Name();
@ -1403,7 +1401,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 			{
 			d->NL();
 			d->PushIndent();
-			d->Add(zeekygen::redef_indication(enum_from_script).c_str());
+			d->Add(zeek::zeekygen::detail::redef_indication(enum_from_script).c_str());
 			d->PopIndent();
 			}
@ -1457,7 +1455,7 @@ const TypePtr& VectorType::Yield() const
 int VectorType::MatchesIndex(zeek::detail::ListExpr* const index) const
 	{
-	expr_list& el = index->Exprs();
+	ExprPList& el = index->Exprs();
 	if ( el.length() != 1 && el.length() != 2)
 		return DOES_NOT_MATCH_INDEX;
@ -1491,12 +1489,12 @@ void VectorType::Describe(ODesc* d) const
 void VectorType::DescribeReST(ODesc* d, bool roles_only) const
 	{
-	d->Add(fmt(":zeek:type:`%s` of ", type_name(Tag())));
+	d->Add(zeek::util::fmt(":zeek:type:`%s` of ", type_name(Tag())));
 	if ( yield_type->GetName().empty() )
 		yield_type->DescribeReST(d, roles_only);
 	else
-		d->Add(fmt(":zeek:type:`%s`", yield_type->GetName().c_str()));
+		d->Add(zeek::util::fmt(":zeek:type:`%s`", yield_type->GetName().c_str()));
 	}
 // Returns true if t1 is initialization-compatible with t2 (i.e., if an
@ -1628,7 +1626,7 @@ bool same_type(const Type& arg_t1, const Type& arg_t2,
 			const TypeDecl* td1 = rt1->FieldDecl(i);
 			const TypeDecl* td2 = rt2->FieldDecl(i);
-			if ( (match_record_field_names && ! streq(td1->id, td2->id)) ||
+			if ( (match_record_field_names && ! zeek::util::streq(td1->id, td2->id)) ||
 			     ! same_type(td1->type, td2->type, is_init, match_record_field_names) )
 				return false;
 			}
@ -1856,8 +1854,8 @@ TypePtr merge_types(const TypePtr& arg_t1,
 		// there creating clones of the type, so safer to compare name.
 		if ( t1->GetName() != t2->GetName() )
 			{
-			std::string msg = fmt("incompatible enum types: '%s' and '%s'",
+			std::string msg = zeek::util::fmt("incompatible enum types: '%s' and '%s'",
-			                      t1->GetName().data(), t2->GetName().data());
+			                                  t1->GetName().data(), t2->GetName().data());
 			t1->Error(msg.data(), t2);
 			return nullptr;
@ -1875,10 +1873,10 @@ TypePtr merge_types(const TypePtr& arg_t1,
 			// actually see those changes from the redef.
 			return id->GetType();
-		std::string msg = fmt("incompatible enum types: '%s' and '%s'"
+		std::string msg = zeek::util::fmt("incompatible enum types: '%s' and '%s'"
-		                      " ('%s' enum type ID is invalid)",
+		                                  " ('%s' enum type ID is invalid)",
-		                      t1->GetName().data(), t2->GetName().data(),
+		                                  t1->GetName().data(), t2->GetName().data(),
-		                      t1->GetName().data());
+		                                  t1->GetName().data());
 		t1->Error(msg.data(), t2);
 		return nullptr;
 		}
@ -1967,14 +1965,14 @@ TypePtr merge_types(const TypePtr& arg_t1,
 			const TypeDecl* td2 = rt2->FieldDecl(i);
 			auto tdl3_i = merge_types(td1->type, td2->type);
-			if ( ! streq(td1->id, td2->id) || ! tdl3_i )
+			if ( ! zeek::util::streq(td1->id, td2->id) || ! tdl3_i )
 				{
 				t1->Error("incompatible record fields", t2);
 				delete tdl3;
 				return nullptr;
 				}
-			tdl3->push_back(new TypeDecl(copy_string(td1->id), std::move(tdl3_i)));
+			tdl3->push_back(new TypeDecl(zeek::util::copy_string(td1->id), std::move(tdl3_i)));
 			}
 		return zeek::make_intrusive<RecordType>(tdl3);
@ -2121,7 +2119,7 @@ TypePtr init_type(zeek::detail::Expr* init)
 		}
 	zeek::detail::ListExpr* init_list = init->AsListExpr();
-	const expr_list& el = init_list->Exprs();
+	const ExprPList& el = init_list->Exprs();
 	if ( el.length() == 0 )
 		{
--- a/src/Type.h
+++ b/src/Type.h
@ -4,7 +4,7 @@
 #include "Obj.h"
 #include "Attr.h"
-#include "BroList.h"
+#include "ZeekList.h"
 #include "IntrusivePtr.h"
 #include <string>
@ -305,7 +305,7 @@ public:
 	~TypeList() override = default;
 	[[deprecated("Remove in v4.1. Use GetTypes() instead.")]]
-	const type_list* Types() const
+	const TypePList* Types() const
 		{ return &types_list; }
 	const std::vector<TypePtr>& GetTypes() const
@ -342,7 +342,7 @@ protected:
 	std::vector<TypePtr> types;
 	// Remove in v4.1. This is used by Types(), which is deprecated.
-	type_list types_list;
+	TypePList types_list;
 };
 class IndexType : public Type {
@ -357,7 +357,7 @@ public:
 	TypeList* Indices() const		{ return indices.get(); }
 	[[deprecated("Remove in v4.1. Use GetIndexTypes().")]]
-	const type_list* IndexTypes() const
+	const TypePList* IndexTypes() const
 		{
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
@ -462,7 +462,7 @@ public:
 		{ yield = nullptr; flavor = arg_flav; }
 	int MatchesIndex(zeek::detail::ListExpr* index) const override;
-	bool CheckArgs(const type_list* args, bool is_init = false) const;
+	bool CheckArgs(const TypePList* args, bool is_init = false) const;
 	bool CheckArgs(const std::vector<TypePtr>& args,
 	               bool is_init = false) const;
--- a/src/UID.cc
+++ b/src/UID.cc
@ -24,7 +24,7 @@ void UID::Set(bro_uint_t bits, const uint64_t* v, size_t n)
 	size_t size = res.rem ? res.quot + 1 : res.quot;
 	for ( size_t i = 0; i < size; ++i )
-		uid[i] = v && i < n ? v[i] : calculate_unique_id();
+		uid[i] = v && i < n ? v[i] : zeek::util::calculate_unique_id();
 	if ( res.rem )
 		uid[0] >>= 64 - res.rem;
@ -37,7 +37,7 @@ std::string UID::Base62(std::string prefix) const
 	char tmp[sizeof(uid) * 8 + 1];  // enough for even binary representation
 	for ( size_t i = 0; i < BRO_UID_LEN; ++i )
-		prefix.append(uitoa_n(uid[i], tmp, sizeof(tmp), 62));
+		prefix.append(zeek::util::uitoa_n(uid[i], tmp, sizeof(tmp), 62));
 	return prefix;
 	}
--- a/src/Val.cc
+++ b/src/Val.cc
@ -20,7 +20,7 @@
 #include "ZeekString.h"
 #include "CompHash.h"
 #include "Dict.h"
-#include "Net.h"
+#include "RunState.h"
 #include "File.h"
 #include "Func.h"
 #include "Desc.h"
@ -421,7 +421,7 @@ detail::ID* Val::GetID() const
 void Val::SetID(detail::ID* id)
 	{
 	delete [] bound_id;
-	bound_id = id ? copy_string(id->Name()) : nullptr;
+	bound_id = id ? zeek::util::copy_string(id->Name()) : nullptr;
 	}
 #endif
@ -489,7 +489,8 @@ TableValPtr Val::GetRecordFields()
 	}
 // This is a static method in this file to avoid including rapidjson's headers in Val.h because they're huge.
-static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val* val, bool only_loggable=false, RE_Matcher* re=nullptr, const string& key="")
+static void BuildJSON(zeek::threading::formatter::JSON::NullDoubleWriter& writer, Val* val,
                      bool only_loggable=false, RE_Matcher* re=nullptr, const string& key="")
 	{
 	if ( !key.empty() )
 		writer.Key(key);
@ -557,7 +558,7 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 			ODesc d;
 			d.SetStyle(RAW_STYLE);
 			val->Describe(&d);
-			writer.String(json_escape_utf8(string(reinterpret_cast<const char*>(d.Bytes()), d.Len())));
+			writer.String(zeek::util::json_escape_utf8(std::string(reinterpret_cast<const char*>(d.Bytes()), d.Len())));
 			break;
 			}
@ -585,7 +586,7 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 				else
 					{
 					rapidjson::StringBuffer buffer;
-					threading::formatter::JSON::NullDoubleWriter key_writer(buffer);
+					zeek::threading::formatter::JSON::NullDoubleWriter key_writer(buffer);
 					BuildJSON(key_writer, entry_key, only_loggable, re);
 					string key_str = buffer.GetString();
@ -689,7 +690,7 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 StringValPtr Val::ToJSON(bool only_loggable, RE_Matcher* re)
 	{
 	rapidjson::StringBuffer buffer;
-	threading::formatter::JSON::NullDoubleWriter writer(buffer);
+	zeek::threading::formatter::JSON::NullDoubleWriter writer(buffer);
 	BuildJSON(writer, this, only_loggable, re, "");
@ -1330,7 +1331,7 @@ unsigned int ListVal::MemoryAllocation() const
 	for ( const auto& val : vals )
 		size += val->MemoryAllocation();
-	size += pad_size(vals.capacity() * sizeof(decltype(vals)::value_type));
+	size += zeek::util::pad_size(vals.capacity() * sizeof(decltype(vals)::value_type));
 	return size + padded_sizeof(*this) + type->MemoryAllocation();
 	}
@ -1411,7 +1412,7 @@ TableVal::TableVal(TableTypePtr t, detail::AttributesPtr a) : Val(t)
 	Init(std::move(t));
 	SetAttrs(std::move(a));
-	if ( ! is_parsing )
+	if ( ! zeek::run_state::is_parsing )
 		return;
 	for ( const auto& t : table_type->GetIndexTypes() )
@ -1945,7 +1946,7 @@ const ValPtr& TableVal::Find(const ValPtr& index)
 		if ( v )
 			{
 			if ( attrs && attrs->Find(detail::ATTR_EXPIRE_READ) )
-				v->SetExpireAccess(network_time);
+				v->SetExpireAccess(run_state::network_time);
 			if ( v->GetVal() )
 				return v->GetVal();
@ -1969,7 +1970,7 @@ const ValPtr& TableVal::Find(const ValPtr& index)
 			if ( v )
 				{
 				if ( attrs && attrs->Find(detail::ATTR_EXPIRE_READ) )
-					v->SetExpireAccess(network_time);
+					v->SetExpireAccess(run_state::network_time);
 				if ( v->GetVal() )
 					return v->GetVal();
@ -2041,7 +2042,7 @@ TableValPtr TableVal::LookupSubnetValues(const SubNetVal* search)
 		if ( entry )
 			{
 			if ( attrs && attrs->Find(detail::ATTR_EXPIRE_READ) )
-				entry->SetExpireAccess(network_time);
+				entry->SetExpireAccess(run_state::network_time);
 			}
 		}
@ -2067,7 +2068,7 @@ bool TableVal::UpdateTimestamp(Val* index)
 	if ( ! v )
 		return false;
-	v->SetExpireAccess(network_time);
+	v->SetExpireAccess(run_state::network_time);
 	return true;
 	}
@ -2178,7 +2179,7 @@ void TableVal::SendToStore(const Val* index, const TableEntryVal* new_entry_val,
 			index_val = index;
 			}
-		auto broker_index = bro_broker::val_to_data(index_val);
+		auto broker_index = zeek::Broker::detail::val_to_data(index_val);
 		if ( ! broker_index )
 			{
@ -2203,15 +2204,15 @@ void TableVal::SendToStore(const Val* index, const TableEntryVal* new_entry_val,
 					if ( attrs->Find(zeek::detail::ATTR_EXPIRE_CREATE) )
 						{
 						// for create expiry, we have to substract the already elapsed time from the expiry.
-						auto e = expire_time - (network_time - new_entry_val->ExpireAccessTime());
+						auto e = expire_time - (run_state::network_time - new_entry_val->ExpireAccessTime());
 						if ( e <= 0 )
 							// element already expired? Let's not insert it.
 							break;
-						expiry = bro_broker::convert_expiry(e);
+						expiry = zeek::Broker::detail::convert_expiry(e);
 						}
 					else
-						expiry = bro_broker::convert_expiry(expire_time);
+						expiry = zeek::Broker::detail::convert_expiry(expire_time);
 					}
 				if ( table_type->IsSet() )
@ -2225,7 +2226,7 @@ void TableVal::SendToStore(const Val* index, const TableEntryVal* new_entry_val,
 						}
 					auto new_value = new_entry_val->GetVal().get();
-					auto broker_val = bro_broker::val_to_data(new_value);
+					auto broker_val = zeek::Broker::detail::val_to_data(new_value);
 					if ( ! broker_val )
 						{
 						zeek::emit_builtin_error("invalid Broker data conversation for table value");
@ -2444,7 +2445,7 @@ void TableVal::Describe(ODesc* d) const
 		if ( d->IsReadable() && ! d->IsShort() && d->IncludeStats() )
 			{
 			d->Add(" @");
-			d->Add(fmt_access_time(v->ExpireAccessTime()));
+			d->Add(zeek::util::detail::fmt_access_time(v->ExpireAccessTime()));
 			}
 		}
@ -2527,7 +2528,7 @@ void TableVal::InitDefaultFunc(zeek::detail::Frame* f)
 void TableVal::InitTimer(double delay)
 	{
-	timer = new TableValTimer(this, network_time + delay);
+	timer = new TableValTimer(this, run_state::network_time + delay);
 	zeek::detail::timer_mgr->Add(timer);
 	}
@ -2556,8 +2557,8 @@ void TableVal::DoExpire(double t)
 	TableEntryVal* v_saved = nullptr;
 	bool modified = false;
-	for ( int i = 0; i < table_incremental_step &&
+	for ( int i = 0; i < zeek::detail::table_incremental_step &&
-			 (v = tbl->NextEntry(k, expire_cookie)); ++i )
+		      (v = tbl->NextEntry(k, expire_cookie)); ++i )
 		{
 		if ( v->ExpireAccessTime() == 0 )
 			{
@ -2594,7 +2595,7 @@ void TableVal::DoExpire(double t)
 					{
 					// User doesn't want us to expire
 					// this now.
-					v->SetExpireAccess(network_time - timeout + secs);
+					v->SetExpireAccess(run_state::network_time - timeout + secs);
 					delete k;
 					continue;
 					}
@ -2631,10 +2632,10 @@ void TableVal::DoExpire(double t)
 	if ( ! v )
 		{
 		expire_cookie = nullptr;
-		InitTimer(table_expire_interval);
+		InitTimer(zeek::detail::table_expire_interval);
 		}
 	else
-		InitTimer(table_expire_delay);
+		InitTimer(zeek::detail::table_expire_delay);
 	}
 double TableVal::GetExpireTime()
@ -2873,7 +2874,7 @@ RecordVal::RecordVal(RecordTypePtr t, bool init_fields) : Val(std::move(t))
 	auto vl = val.record_val = new std::vector<ValPtr>;
 	vl->reserve(n);
-	if ( is_parsing )
+	if ( zeek::run_state::is_parsing )
 		parse_time_records[rt].emplace_back(NewRef{}, this);
 	if ( ! init_fields )
@ -3173,7 +3174,7 @@ unsigned int RecordVal::MemoryAllocation() const
 		    size += v->MemoryAllocation();
 		}
-	size += pad_size(vl.capacity() * sizeof(ValPtr));
+	size += zeek::util::pad_size(vl.capacity() * sizeof(ValPtr));
 	size += padded_sizeof(vl);
 	return size + padded_sizeof(*this);
 	}
@ -3520,7 +3521,7 @@ bool same_atomic_val(const Val* v1, const Val* v2)
 	return false;
 	}
-void describe_vals(const val_list* vals, ODesc* d, int offset)
+void describe_vals(const ValPList* vals, ODesc* d, int offset)
 	{
 	if ( ! d->IsReadable() )
 		{
@ -3555,7 +3556,7 @@ void describe_vals(const std::vector<ValPtr>& vals,
 		}
 	}
-void delete_vals(val_list* vals)
+void delete_vals(ValPList* vals)
 	{
 	if ( vals )
 		{
@ -3578,14 +3579,14 @@ ValPtr cast_value_to_type(Val* v, Type* t)
 	if ( same_type(v->GetType(), t) )
 		return {NewRef{}, v};
-	if ( same_type(v->GetType(), bro_broker::DataVal::ScriptDataType()) )
+	if ( same_type(v->GetType(), zeek::Broker::detail::DataVal::ScriptDataType()) )
 		{
 		const auto& dv = v->AsRecordVal()->GetField(0);
 		if ( ! dv )
 			return nullptr;
-		return static_cast<bro_broker::DataVal*>(dv.get())->castTo(t);
+		return static_cast<zeek::Broker::detail::DataVal*>(dv.get())->castTo(t);
 		}
 	return nullptr;
@ -3604,14 +3605,14 @@ bool can_cast_value_to_type(const Val* v, Type* t)
 	if ( same_type(v->GetType(), t) )
 		return true;
-	if ( same_type(v->GetType(), bro_broker::DataVal::ScriptDataType()) )
+	if ( same_type(v->GetType(), zeek::Broker::detail::DataVal::ScriptDataType()) )
 		{
 		const auto& dv = v->AsRecordVal()->GetField(0);
 		if ( ! dv )
 			return false;
-		return static_cast<const bro_broker::DataVal *>(dv.get())->canCastTo(t);
+		return static_cast<const zeek::Broker::detail::DataVal *>(dv.get())->canCastTo(t);
 		}
 	return false;
@ -3627,7 +3628,7 @@ bool can_cast_value_to_type(const Type* s, Type* t)
 	if ( same_type(s, t) )
 		return true;
-	if ( same_type(s, bro_broker::DataVal::ScriptDataType()) )
+	if ( same_type(s, zeek::Broker::detail::DataVal::ScriptDataType()) )
 		// As Broker is dynamically typed, we don't know if we will be able
 		// to convert the type as intended. We optimistically assume that we
 		// will.
--- a/src/Val.h
+++ b/src/Val.h
@ -48,15 +48,18 @@ namespace zeek::detail { class ScriptFunc; }
 using BroFunc [[deprecated("Remove in v4.1. Use zeek::detail::ScriptFunc instead.")]] = zeek::detail::ScriptFunc;
 ZEEK_FORWARD_DECLARE_NAMESPACED(PrefixTable, zeek::detail);
 class StateAccess;
 ZEEK_FORWARD_DECLARE_NAMESPACED(RE_Matcher, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(HashKey, zeek::detail);
 extern double bro_start_network_time;
 namespace zeek {
 namespace run_state {
 extern double network_time;
 extern double zeek_start_network_time;
 }
 using FuncPtr = zeek::IntrusivePtr<Func>;
 using FilePtr = zeek::IntrusivePtr<File>;
@ -341,7 +344,7 @@ public:
 	// To be overridden by mutable derived class to enable change
 	// notification.
-	virtual notifier::Modifiable* Modifiable()	{ return nullptr; }
+	virtual zeek::notifier::detail::Modifiable* Modifiable()	{ return nullptr; }
 #ifdef DEBUG
 	// For debugging, we keep a reference to the global ID to which a
@ -730,7 +733,7 @@ public:
 		: val(std::move(v))
 		{
 		expire_access_time =
-			int(network_time - bro_start_network_time);
+			int(run_state::network_time - run_state::zeek_start_network_time);
 		}
 	TableEntryVal* Clone(Val::CloneState* state);
@ -743,9 +746,9 @@ public:
 	// Returns/sets time of last expiration relevant access to this value.
 	double ExpireAccessTime() const
-		{ return bro_start_network_time + expire_access_time; }
+		{ return run_state::zeek_start_network_time + expire_access_time; }
 	void SetExpireAccess(double time)
-		{ expire_access_time = int(time - bro_start_network_time); }
+		{ expire_access_time = int(time - run_state::zeek_start_network_time); }
 protected:
 	friend class TableVal;
@ -771,7 +774,7 @@ protected:
 	TableVal* table;
 };
-class TableVal final : public Val, public notifier::Modifiable {
+class TableVal final : public Val, public zeek::notifier::detail::Modifiable {
 public:
 	explicit TableVal(zeek::TableTypePtr t, zeek::detail::AttributesPtr attrs = nullptr);
@ -1012,7 +1015,7 @@ public:
 	[[deprecated("Remove in v4.1.  Use MakeHashKey().")]]
 	zeek::detail::HashKey* ComputeHash(const Val* index) const;
-	notifier::Modifiable* Modifiable() override	{ return this; }
+	zeek::notifier::detail::Modifiable* Modifiable() override	{ return this; }
 	// Retrieves and saves all table state (key-value pairs) for
 	// tables whose index type depends on the given zeek::RecordType.
@ -1102,7 +1105,7 @@ protected:
 	static ParseTimeTableStates parse_time_table_states;
 };
-class RecordVal final : public Val, public notifier::Modifiable {
+class RecordVal final : public Val, public zeek::notifier::detail::Modifiable {
 public:
 	[[deprecated("Remove in v4.1.  Construct from IntrusivePtr instead.")]]
 	explicit RecordVal(zeek::RecordType* t, bool init_fields = true);
@ -1255,7 +1258,7 @@ public:
 	unsigned int MemoryAllocation() const override;
 	void DescribeReST(ODesc* d) const override;
-	notifier::Modifiable* Modifiable() override	{ return this; }
+	zeek::notifier::detail::Modifiable* Modifiable() override	{ return this; }
 	// Extend the underlying arrays of record instances created during
 	// parsing to match the number of fields in the record type (they may
@ -1292,7 +1295,7 @@ protected:
 };
-class VectorVal final : public Val, public notifier::Modifiable {
+class VectorVal final : public Val, public zeek::notifier::detail::Modifiable {
 public:
 	[[deprecated("Remove in v4.1.  Construct from IntrusivePtr instead.")]]
 	explicit VectorVal(zeek::VectorType* t);
@ -1372,7 +1375,7 @@ public:
 	// Won't shrink size.
 	unsigned int ResizeAtLeast(unsigned int new_num_elements);
-	notifier::Modifiable* Modifiable() override	{ return this; }
+	zeek::notifier::detail::Modifiable* Modifiable() override	{ return this; }
 	/**
 	 * Inserts an element at the given position in the vector.  All elements
@ -1407,10 +1410,10 @@ extern ValPtr check_and_promote(
 extern bool same_val(const Val* v1, const Val* v2);
 extern bool same_atomic_val(const Val* v1, const Val* v2);
 extern bool is_atomic_val(const Val* v);
-extern void describe_vals(const val_list* vals, ODesc* d, int offset=0);
+extern void describe_vals(const ValPList* vals, ODesc* d, int offset=0);
 extern void describe_vals(const std::vector<ValPtr>& vals,
                          ODesc* d, size_t offset = 0);
-extern void delete_vals(val_list* vals);
+extern void delete_vals(ValPList* vals);
 // True if the given Val* has a vector type.
 inline bool is_vector(Val* v)	{ return  v->GetType()->Tag() == zeek::TYPE_VECTOR; }
@ -1433,7 +1436,7 @@ extern bool can_cast_value_to_type(const Val* v, zeek::Type* t);
 // specific instance later.
 extern bool can_cast_value_to_type(const zeek::Type* s, zeek::Type* t);
-}
+} // namespace zeek
 using Val [[deprecated("Remove in v4.1. Use zeek::Val instead.")]] = zeek::Val;
 using PortVal [[deprecated("Remove in v4.1. Use zeek::PortVal instead.")]] = zeek::PortVal;
--- a/src/Var.cc
+++ b/src/Var.cc
@ -17,7 +17,7 @@
 #include "module_util.h"
 #include "ID.h"
-using namespace zeek::detail;
+namespace zeek::detail {
 static zeek::ValPtr init_val(zeek::detail::Expr* init,
                             const zeek::Type* t,
@ -84,7 +84,7 @@ static bool add_prototype(const zeek::detail::IDPtr& id, zeek::Type* t,
 		if ( alt_args->FieldDecl(i)->attrs )
 			{
-			alt_ft->Error(fmt("alternate function prototype arguments may not have attributes: arg '%s'", field), canon_ft);
+			alt_ft->Error(zeek::util::fmt("alternate function prototype arguments may not have attributes: arg '%s'", field), canon_ft);
 			return false;
 			}
@ -92,7 +92,7 @@ static bool add_prototype(const zeek::detail::IDPtr& id, zeek::Type* t,
 		if ( o < 0 )
 			{
-			alt_ft->Error(fmt("alternate function prototype arg '%s' not found in canonical prototype", field), canon_ft);
+			alt_ft->Error(zeek::util::fmt("alternate function prototype arg '%s' not found in canonical prototype", field), canon_ft);
 			return false;
 			}
@ -125,7 +125,7 @@ static void make_var(const zeek::detail::IDPtr& id, zeek::TypePtr t,
                     zeek::detail::InitClass c,
                     zeek::detail::ExprPtr init,
                     std::unique_ptr<std::vector<AttrPtr>> attr,
-                     decl_type dt,
+                     DeclType dt,
                     bool do_init)
 	{
 	if ( id->GetType() )
@ -327,7 +327,7 @@ void add_global(
 	zeek::TypePtr t,
 	zeek::detail::InitClass c, zeek::detail::ExprPtr init,
 	std::unique_ptr<std::vector<AttrPtr>> attr,
-	decl_type dt)
+	DeclType dt)
 	{
 	make_var(id, std::move(t), c, std::move(init), std::move(attr), dt, true);
 	}
@ -336,7 +336,7 @@ zeek::detail::StmtPtr add_local(
 	zeek::detail::IDPtr id, zeek::TypePtr t,
 	zeek::detail::InitClass c, zeek::detail::ExprPtr init,
 	std::unique_ptr<std::vector<AttrPtr>> attr,
-	decl_type dt)
+	DeclType dt)
 	{
 	make_var(id, std::move(t), c, init, std::move(attr), dt, false);
@ -469,12 +469,12 @@ static std::optional<zeek::FuncType::Prototype> func_type_check(const zeek::Func
 				auto msg = ad->DeprecationMessage();
 				if ( msg.empty() )
-					impl->Warn(fmt("use of deprecated parameter '%s'",
+					impl->Warn(zeek::util::fmt("use of deprecated parameter '%s'",
-				                   rval->args->FieldName(i)),
+					                           rval->args->FieldName(i)),
-				               decl, true);
+					           decl, true);
 				else
-					impl->Warn(fmt("use of deprecated parameter '%s': %s",
+					impl->Warn(zeek::util::fmt("use of deprecated parameter '%s': %s",
-				                   rval->args->FieldName(i), msg.data()),
+					                           rval->args->FieldName(i), msg.data()),
 				               decl, true);
 				}
@ -553,11 +553,11 @@ void begin_func(zeek::detail::IDPtr id, const char* module_name,
 			if ( prototype->deprecated )
 				{
 				if ( prototype->deprecation_msg.empty() )
-					t->Warn(fmt("use of deprecated '%s' prototype", id->Name()),
+					t->Warn(zeek::util::fmt("use of deprecated '%s' prototype", id->Name()),
 					        prototype->args.get(), true);
 				else
-					t->Warn(fmt("use of deprecated '%s' prototype: %s",
+					t->Warn(zeek::util::fmt("use of deprecated '%s' prototype: %s",
-					            id->Name(), prototype->deprecation_msg.data()),
+					                        id->Name(), prototype->deprecation_msg.data()),
 					        prototype->args.get(), true);
 				}
 			}
@ -648,7 +648,7 @@ void begin_func(zeek::detail::IDPtr id, const char* module_name,
 		if ( hide )
 			// Note the illegal '-' in hidden name implies we haven't
 			// clobbered any local variable names.
-			local_name = fmt("%s-hidden", local_name);
+			local_name = zeek::util::fmt("%s-hidden", local_name);
 		arg_id = zeek::detail::install_ID(local_name, module_name, false, false);
 		arg_id->SetType(arg_i->type);
@ -744,12 +744,12 @@ zeek::Val* internal_val(const char* name)
 	return zeek::id::find_val(name).get();
 	}
-id_list gather_outer_ids(zeek::detail::Scope* scope, zeek::detail::Stmt* body)
+IDPList gather_outer_ids(zeek::detail::Scope* scope, zeek::detail::Stmt* body)
 	{
 	OuterIDBindingFinder cb(scope);
 	body->Traverse(&cb);
-	id_list idl ( cb.outer_id_references.size() );
+	IDPList idl ( cb.outer_id_references.size() );
 	for ( size_t i = 0; i < cb.outer_id_references.size(); ++i )
 		{
@ -861,3 +861,5 @@ zeek::EventHandlerPtr internal_handler(const char* name)
 	{
 	return zeek::event_registry->Register(name);
 	}
 } // namespace zeek::detail
--- a/src/Var.h
+++ b/src/Var.h
@ -16,17 +16,17 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Expr, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Scope, zeek::detail);
 namespace zeek::detail {
 using StmtPtr = zeek::IntrusivePtr<zeek::detail::Stmt>;
 }
-typedef enum { VAR_REGULAR, VAR_CONST, VAR_REDEF, VAR_OPTION, } decl_type;
+using StmtPtr = zeek::IntrusivePtr<zeek::detail::Stmt>;
 enum DeclType { VAR_REGULAR, VAR_CONST, VAR_REDEF, VAR_OPTION, };
 extern void add_global(const zeek::detail::IDPtr& id,
                       zeek::TypePtr t,
                       zeek::detail::InitClass c,
                       zeek::detail::ExprPtr init,
                       std::unique_ptr<std::vector<zeek::detail::AttrPtr>> attr,
-                       decl_type dt);
+                       DeclType dt);
 extern zeek::detail::StmtPtr add_local(
 	zeek::detail::IDPtr id,
@ -34,7 +34,7 @@ extern zeek::detail::StmtPtr add_local(
 	zeek::detail::InitClass c,
 	zeek::detail::ExprPtr init,
 	std::unique_ptr<std::vector<zeek::detail::AttrPtr>> attr,
-	decl_type dt);
+	DeclType dt);
 extern zeek::detail::ExprPtr add_and_assign_local(
 	zeek::detail::IDPtr id,
@ -52,7 +52,23 @@ extern void begin_func(zeek::detail::IDPtr id, const char* module_name,
 extern void end_func(zeek::detail::StmtPtr body);
 // Gather all IDs referenced inside a body that aren't part of a given scope.
-extern id_list gather_outer_ids(zeek::detail::Scope* scope, zeek::detail::Stmt* body);
+extern IDPList gather_outer_ids(zeek::detail::Scope* scope, zeek::detail::Stmt* body);
 } // namespace zeek::detail
 using decl_type [[deprecated("Remove in v4.1. Use zeek::detail::DeclType.")]] = zeek::detail::DeclType;
 constexpr auto VAR_REGULAR [[deprecated("Remove in v4.1. Use zeek::detail::VAR_REGULAR.")]] = zeek::detail::VAR_REGULAR;
 constexpr auto VAR_CONST [[deprecated("Remove in v4.1. Use zeek::detail::VAR_CONST.")]] = zeek::detail::VAR_CONST;
 constexpr auto VAR_REDEF [[deprecated("Remove in v4.1. Use zeek::detail::VAR_REDEF.")]] = zeek::detail::VAR_REDEF;
 constexpr auto VAR_OPTION [[deprecated("Remove in v4.1. Use zeek::detail::VAR_OPTION.")]] = zeek::detail::VAR_OPTION;
 constexpr auto add_global [[deprecated("Remove in v4.1. Use zeek::detail::add_global.")]] = zeek::detail::add_global;
 constexpr auto add_local [[deprecated("Remove in v4.1. Use zeek::detail::add_local.")]] = zeek::detail::add_local;
 constexpr auto add_and_assign_local [[deprecated("Remove in v4.1. Use zeek::detail::add_and_assign_local.")]] = zeek::detail::add_and_assign_local;
 constexpr auto add_type [[deprecated("Remove in v4.1. Use zeek::detail::add_type.")]] = zeek::detail::add_type;
 constexpr auto begin_func [[deprecated("Remove in v4.1. Use zeek::detail::begin_func.")]] = zeek::detail::begin_func;
 constexpr auto end_func [[deprecated("Remove in v4.1. Use zeek::detail::end_func.")]] = zeek::detail::end_func;
 constexpr auto gather_outer_ids [[deprecated("Remove in v4.1. Use zeek::detail::gather_outer_ids.")]] = zeek::detail::gather_outer_ids;
 [[deprecated("Remove in v4.1.  Use zeek::id::find_val().")]]
 extern zeek::Val* internal_val(const char* name);
--- a/src/WeirdState.cc
+++ b/src/WeirdState.cc
@ -1,5 +1,5 @@
 #include "WeirdState.h"
-#include "Net.h"
+#include "RunState.h"
 #include "util.h"
 namespace zeek::detail {
@ -14,10 +14,10 @@ bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold,
 		return true;
 	if ( state.count == threshold + 1)
-		state.sampling_start_time = network_time;
+		state.sampling_start_time = zeek::run_state::network_time;
 	else
 		{
-		if ( network_time > state.sampling_start_time + duration )
+		if ( zeek::run_state::network_time > state.sampling_start_time + duration )
 			{
 			state.sampling_start_time = 0;
 			state.count = 1;
--- a/Show more
+++ b/Show more
		`@ -1 +1 @@`
			`Subproject commit 2affd6a4fd7b2543a533c481334828d3a47890d6`				`Subproject commit 1f7e277dd43fb69acaf44aaac4d2fe04207ff6ad`