From 2446a942e0177c4f6bb2bc59b5be9e0376e14cdb Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@ohio.edu>
Date: Thu, 4 Sep 2014 20:41:44 -0400
Subject: [PATCH 001/109] Plugin API: minor change (adding parent frame) to
 support calling methods from hook.  Also declare network time update argument
 to be const because good practice.

---
 src/Func.cc           | 4 ++--
 src/plugin/Manager.cc | 7 ++++---
 src/plugin/Manager.h  | 4 ++--
 src/plugin/Plugin.cc  | 4 ++--
 src/plugin/Plugin.h   | 4 ++--
 5 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/Func.cc b/src/Func.cc
index d66e9c71fa..ae449afeb3 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -331,7 +331,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 	if ( sample_logger )
 		sample_logger->FunctionSeen(this);
 
-	Val* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, args), 0);
+	Val* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
 
 	if ( plugin_result )
 		return HandlePluginResult(plugin_result, args, Flavor());
@@ -548,7 +548,7 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
 	if ( sample_logger )
 		sample_logger->FunctionSeen(this);
 
-	Val* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, args), 0);
+	Val* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
 
 	if ( plugin_result )
 		return HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index ab0b85676b..f416172153 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -559,13 +559,14 @@ int Manager::HookLoadFile(const string& file)
 	return rc;
 	}
 
-Val* Manager::HookCallFunction(const Func* func, val_list* vargs) const
+Val* Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs) const
 	{
 	HookArgumentList args;
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
 		args.push_back(HookArgument(func));
+        args.push_back(HookArgument(parent));
 		args.push_back(HookArgument(vargs));
 		MetaHookPre(HOOK_CALL_FUNCTION, args);
 		}
@@ -579,7 +580,7 @@ Val* Manager::HookCallFunction(const Func* func, val_list* vargs) const
 			{
 			Plugin* p = (*i).second;
 
-			v = p->HookCallFunction(func, vargs);
+			v = p->HookCallFunction(func, parent, vargs);
 
 			if ( v )
 				break;
@@ -644,7 +645,7 @@ void Manager::HookDrainEvents() const
 
 	}
 
-void Manager::HookUpdateNetworkTime(double network_time) const
+void Manager::HookUpdateNetworkTime(const double network_time) const
 	{
 	HookArgumentList args;
 
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 39a2f7f887..349db3e483 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -244,7 +244,7 @@ public:
 	 * functions and events, it may be any Val and must be ignored). If no
 	 * plugin handled the call, the method returns null.
 	 */
-	Val* HookCallFunction(const Func* func, val_list* args) const;
+	Val* HookCallFunction(const Func* func, Frame *parent, val_list* args) const;
 
 	/**
 	 * Hook that filters the queuing of an event.
@@ -261,7 +261,7 @@ public:
 	 *
 	 * @param network_time The new network time.
 	 */
-	void HookUpdateNetworkTime(double network_time) const;
+	void HookUpdateNetworkTime(const double network_time) const;
 
 	/**
 	 * Hook that informs plugins that the event queue is being drained.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 8aaadc1ec7..b0ccf38990 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -271,7 +271,7 @@ int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
 	return -1;
 	}
 
-Val* Plugin::HookCallFunction(const Func* func, val_list* args)
+Val* Plugin::HookCallFunction(const Func* func, Frame *parent, val_list* args)
 	{
 	return 0;
 	}
@@ -285,7 +285,7 @@ void Plugin::HookDrainEvents()
 	{
 	}
 
-void Plugin::HookUpdateNetworkTime(double network_time)
+void Plugin::HookUpdateNetworkTime(const double network_time)
 	{
 	}
 
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 978e22b634..7794b496b2 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -573,7 +573,7 @@ protected:
 	 * ignored; best to use a \c TYPE_ANY). If the plugin did not handle
 	 * the call, it must return null.
 	 */
-	virtual Val* HookCallFunction(const Func* func, val_list* args);
+	virtual Val* HookCallFunction(const Func* func, Frame *parent, val_list* args);
 
 	/**
 	 * Hook into raising events. Whenever the script interpreter is about
@@ -607,7 +607,7 @@ protected:
 	 *
 	 * @param networkt_time The new network time.
 	 */
-	virtual void HookUpdateNetworkTime(double network_time);
+	virtual void HookUpdateNetworkTime(const double network_time);
 
 	/**
 	 * Hook for destruction of objects registered with

From 1a456cf9f7ebc30eadb8fc58b93fe576fc86712e Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@ohio.edu>
Date: Sat, 6 Sep 2014 13:48:44 -0400
Subject: [PATCH 002/109] Tweaks to result handling to make things a little
 more sane.

---
 src/Func.cc | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Func.cc b/src/Func.cc
index ae449afeb3..19ed5e1ea6 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -274,16 +274,23 @@ Val* Func::HandlePluginResult(Val* plugin_result, val_list* args, function_flavo
 
 		else
 			{
-			if ( plugin_result->Type()->Tag() != yt->Tag() )
-				reporter->InternalError("plugin returned wrong type for function call");
-			}
+			if ( plugin_result->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
+                {
+                char sbuf[1024];
+                snprintf(sbuf, 1024, "plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->Type()->Tag(), yt->Tag(), this->Name());
+				reporter->InternalError(sbuf);
+			    }
+            }
 
 		break;
 		}
 	}
 
+    /*
+    Let the plugin handle the reference counting
 	loop_over_list(*args, i)
 		Unref((*args)[i]);
+    */
 
 	return plugin_result;
 	}

From 8d04f58eda9c5890a7a93f8d9b0a720b268d2c4b Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@ohio.edu>
Date: Fri, 19 Sep 2014 21:55:47 -0400
Subject: [PATCH 003/109] Reverting change to const status of network_time. 
 Also, see FIXME: in Func.cc / HandlePluginResult ...

---
 src/Func.cc           | 23 ++++++++++++++++++-----
 src/plugin/Manager.cc |  2 +-
 src/plugin/Manager.h  |  2 +-
 src/plugin/Plugin.cc  |  2 +-
 src/plugin/Plugin.h   |  4 ++--
 5 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/src/Func.cc b/src/Func.cc
index 19ed5e1ea6..9a4ff6a4fb 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -269,12 +269,28 @@ Val* Func::HandlePluginResult(Val* plugin_result, val_list* args, function_flavo
 		if ( (! yt) || yt->Tag() == TYPE_VOID )
 			{
 			Unref(plugin_result);
-			plugin_result = 0;
+			plugin_result = NULL;
 			}
 
 		else
 			{
-			if ( plugin_result->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
+            /*
+            FIXME: I know this probably isn't a good idea, but what's the better solution?
+
+            Hack: we want a way to force a NULL return in certain cases (e.g. function delayed).  Since no function should ever reasonably return
+            an error, we use the error type to represent this case.
+
+            Note that re-using a type that a function could reasonably return breaks down in the case of e.g. a delayed function, where the function
+            will have a very specific type but still return NULL because things have not yet been evaluated.  Thus, if the delayed method returns a
+            bool, and our garbage return value is a bool, then how do we know whether or not the Val* returned by the function is actually meaningful
+            in the general case?
+            */
+            if ( plugin_result->Type()->Tag() == TYPE_ERROR )
+                {
+                Unref(plugin_result);
+                plugin_result = NULL;
+                }
+			else if ( plugin_result->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
                 {
                 char sbuf[1024];
                 snprintf(sbuf, 1024, "plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->Type()->Tag(), yt->Tag(), this->Name());
@@ -286,11 +302,8 @@ Val* Func::HandlePluginResult(Val* plugin_result, val_list* args, function_flavo
 		}
 	}
 
-    /*
-    Let the plugin handle the reference counting
 	loop_over_list(*args, i)
 		Unref((*args)[i]);
-    */
 
 	return plugin_result;
 	}
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index f416172153..60e4d4fb78 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -645,7 +645,7 @@ void Manager::HookDrainEvents() const
 
 	}
 
-void Manager::HookUpdateNetworkTime(const double network_time) const
+void Manager::HookUpdateNetworkTime(double network_time) const
 	{
 	HookArgumentList args;
 
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 349db3e483..02071fa5b7 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -261,7 +261,7 @@ public:
 	 *
 	 * @param network_time The new network time.
 	 */
-	void HookUpdateNetworkTime(const double network_time) const;
+	void HookUpdateNetworkTime(double network_time) const;
 
 	/**
 	 * Hook that informs plugins that the event queue is being drained.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index b0ccf38990..9565236d81 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -285,7 +285,7 @@ void Plugin::HookDrainEvents()
 	{
 	}
 
-void Plugin::HookUpdateNetworkTime(const double network_time)
+void Plugin::HookUpdateNetworkTime(double network_time)
 	{
 	}
 
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 7794b496b2..a921047b09 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -605,9 +605,9 @@ protected:
 	 * Hook for updates to network time. This method will be called
 	 * whenever network time is advanced.
 	 *
-	 * @param networkt_time The new network time.
+	 * @param network_time The new network time.
 	 */
-	virtual void HookUpdateNetworkTime(const double network_time);
+	virtual void HookUpdateNetworkTime(double network_time);
 
 	/**
 	 * Hook for destruction of objects registered with

From d639488d36741e0b558bf4ab24d7b275f449195e Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-jvsk.site>
Date: Sat, 27 Sep 2014 08:03:30 -0400
Subject: [PATCH 004/109] Incremental commit: implementing a wrapper for the
 Val class.

Just a checkpoint: need to add / update tests to make sure things work as expected.  Should build / pass core btests, though.
---
 src/Func.cc                                   | 94 +++++++++++--------
 src/Func.h                                    |  5 +-
 src/plugin/Manager.cc                         |  6 +-
 src/plugin/Manager.h                          |  2 +-
 src/plugin/Plugin.cc                          | 17 +++-
 src/plugin/Plugin.h                           | 55 +++++++++--
 .../btest/plugins/hooks-plugin/src/Plugin.cc  |  2 +-
 .../btest/plugins/hooks-plugin/src/Plugin.h   |  2 +-
 8 files changed, 127 insertions(+), 56 deletions(-)

diff --git a/src/Func.cc b/src/Func.cc
index 9a4ff6a4fb..547af2c6ce 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -48,6 +48,8 @@
 #include "Reporter.h"
 #include "plugin/Manager.h"
 
+using plugin::ValWrapper;
+
 extern	RETSIGTYPE sig_handler(int signo);
 
 const Expr* calling_expr = 0;
@@ -245,21 +247,40 @@ TraversalCode Func::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-Val* Func::HandlePluginResult(Val* plugin_result, val_list* args, function_flavor flavor) const
+ValWrapper* Func::HandlePluginResult(ValWrapper* plugin_result, val_list* args, function_flavor flavor) const
 	{
-	// Helper function factoring out this code from BroFunc:Call() for better
-	// readability.
+    // We either have not received a plugin result, or the plugin result hasn't been processed (read: fall into ::Call method)
+    if(!plugin_result)
+        return NULL;
+
+    if(!plugin_result->processed)
+        {
+        if(plugin_result->value)
+            {
+            Unref(plugin_result->value);
+            plugin_result->value = NULL;
+            }
+        delete plugin_result;
+        return NULL;
+        }
 
 	switch ( flavor ) {
 	case FUNC_FLAVOR_EVENT:
-		Unref(plugin_result);
-		plugin_result = 0;
+        if(plugin_result->value)
+            {
+            char sbuf[1024];
+            snprintf(sbuf, 1024, "plugin returned non-void result for event %s", this->Name());
+            reporter->InternalError(sbuf);
+            }
 		break;
 
 	case FUNC_FLAVOR_HOOK:
-		if ( plugin_result->Type()->Tag() != TYPE_BOOL )
-			reporter->InternalError("plugin returned non-bool for hook");
-
+		if ( plugin_result->value->Type()->Tag() != TYPE_BOOL )
+		    {
+            char sbuf[1024];
+            snprintf(sbuf, 1024, "plugin returned non-bool for hook %s", this->Name());
+        	reporter->InternalError(sbuf);
+            }
 		break;
 
 	case FUNC_FLAVOR_FUNCTION:
@@ -268,34 +289,15 @@ Val* Func::HandlePluginResult(Val* plugin_result, val_list* args, function_flavo
 
 		if ( (! yt) || yt->Tag() == TYPE_VOID )
 			{
-			Unref(plugin_result);
-			plugin_result = NULL;
-			}
-
-		else
+            char sbuf[1024];
+            snprintf(sbuf, 1024, "plugin returned non-void result for void method %s", this->Name());
+			reporter->InternalError(sbuf);
+            }
+		else if ( plugin_result->value->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
 			{
-            /*
-            FIXME: I know this probably isn't a good idea, but what's the better solution?
-
-            Hack: we want a way to force a NULL return in certain cases (e.g. function delayed).  Since no function should ever reasonably return
-            an error, we use the error type to represent this case.
-
-            Note that re-using a type that a function could reasonably return breaks down in the case of e.g. a delayed function, where the function
-            will have a very specific type but still return NULL because things have not yet been evaluated.  Thus, if the delayed method returns a
-            bool, and our garbage return value is a bool, then how do we know whether or not the Val* returned by the function is actually meaningful
-            in the general case?
-            */
-            if ( plugin_result->Type()->Tag() == TYPE_ERROR )
-                {
-                Unref(plugin_result);
-                plugin_result = NULL;
-                }
-			else if ( plugin_result->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
-                {
-                char sbuf[1024];
-                snprintf(sbuf, 1024, "plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->Type()->Tag(), yt->Tag(), this->Name());
-				reporter->InternalError(sbuf);
-			    }
+            char sbuf[1024];
+            snprintf(sbuf, 1024, "plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->value->Type()->Tag(), yt->Tag(), this->Name());
+			reporter->InternalError(sbuf);
             }
 
 		break;
@@ -351,10 +353,15 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 	if ( sample_logger )
 		sample_logger->FunctionSeen(this);
 
-	Val* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
+	ValWrapper* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
 
-	if ( plugin_result )
-		return HandlePluginResult(plugin_result, args, Flavor());
+    plugin_result = HandlePluginResult(plugin_result, args, Flavor());
+    if(plugin_result)
+        {
+        Val *result = plugin_result->value;
+        delete plugin_result;
+        return result;
+        }
 
 	if ( bodies.empty() )
 		{
@@ -568,10 +575,15 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
 	if ( sample_logger )
 		sample_logger->FunctionSeen(this);
 
-	Val* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
+	ValWrapper* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
 
-	if ( plugin_result )
-		return HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
+    plugin_result = HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
+    if(plugin_result)
+        {
+        Val *result = plugin_result->value;
+        delete plugin_result;
+        return result;
+        }
 
 	if ( g_trace_state.DoTrace() )
 		{
diff --git a/src/Func.h b/src/Func.h
index 446043d581..bfaa24708b 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -14,6 +14,9 @@ class Stmt;
 class Frame;
 class ID;
 class CallExpr;
+namespace plugin {
+    struct ValWrapper;
+}
 
 class Func : public BroObj {
 public:
@@ -71,7 +74,7 @@ protected:
 	Func();
 
 	// Helper function for handling result of plugin hook.
-	Val* HandlePluginResult(Val* plugin_result, val_list* args, function_flavor flavor) const;
+	plugin::ValWrapper* HandlePluginResult(plugin::ValWrapper* plugin_result, val_list* args, function_flavor flavor) const;
 
 	DECLARE_ABSTRACT_SERIAL(Func);
 
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 60e4d4fb78..d6ac3866ea 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -559,7 +559,7 @@ int Manager::HookLoadFile(const string& file)
 	return rc;
 	}
 
-Val* Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs) const
+ValWrapper* Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs) const
 	{
 	HookArgumentList args;
 
@@ -573,7 +573,7 @@ Val* Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs)
 
 	hook_list* l = hooks[HOOK_CALL_FUNCTION];
 
-	Val* v = 0;
+	ValWrapper* v = 0;
 
 	if ( l )
 		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
@@ -582,7 +582,7 @@ Val* Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs)
 
 			v = p->HookCallFunction(func, parent, vargs);
 
-			if ( v )
+			if ( v && v-> processed)
 				break;
 			}
 
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 02071fa5b7..75d15a5c8b 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -244,7 +244,7 @@ public:
 	 * functions and events, it may be any Val and must be ignored). If no
 	 * plugin handled the call, the method returns null.
 	 */
-	Val* HookCallFunction(const Func* func, Frame *parent, val_list* args) const;
+	ValWrapper* HookCallFunction(const Func* func, Frame *parent, val_list* args) const;
 
 	/**
 	 * Hook that filters the queuing of an event.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 9565236d81..8aa528bc3d 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -106,6 +106,21 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
+    case WRAPPED_VAL:
+        if ( arg.wrapper )
+            {
+            d->Add("wrapped(");
+            if(arg.wrapper->value)
+                {
+                arg.wrapper->value->Describe(d);
+                }
+            else
+                d->Add("<null>");
+            d->Add(")");
+            }
+
+        break;
+
 	case VAL_LIST:
 		if ( arg.vals )
 			{
@@ -271,7 +286,7 @@ int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
 	return -1;
 	}
 
-Val* Plugin::HookCallFunction(const Func* func, Frame *parent, val_list* args)
+ValWrapper* Plugin::HookCallFunction(const Func* func, Frame *parent, val_list* args)
 	{
 	return 0;
 	}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index a921047b09..9119d338d5 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -25,6 +25,34 @@ class Manager;
 class Component;
 class Plugin;
 
+/**
+ * In certain cases, functions may have well-defined return types but still return NULL values (e.g. delayed functions, opaque types).
+ * Thus, it's necessary to explicitly define whether or not a plugin has handled a function in addition to recording the value it has
+ * returned.
+ *
+ * Plugins' function handlers return a result of this type.
+ */
+struct ValWrapper {
+    Val* value;       //< value being wrapped by this object
+    bool processed;   //< true if execution should *STOP* (read: the plugin is replacing a method), and false if execution should *CONTINUE* (read: bro should execute a method)
+
+    /**
+    Wrapper for a specific value.  If we're setting a value, we assume we've processed something.
+    
+    @param value value to be wrapped
+    */
+    ValWrapper(Val* value)
+    : value(value), processed(true) { }
+
+    /**
+    Wrapper for a specific value.  If we're setting 'processed', we assume there's a reason we're not setting a Val and set that to NULL.
+    
+    @param processed whether or not an execution of a function was handled by the plugin
+    */
+    ValWrapper(bool processed)
+    : value(NULL), processed(processed) { }
+};
+
 /**
  * Hook types that a plugin may define. Each label maps to the corresponding
  * virtual method in \a Plugin.
@@ -155,7 +183,7 @@ public:
 	 * Type of the argument.
 	 */
 	enum Type {
-		BOOL, DOUBLE, EVENT, FUNC, INT, STRING, VAL, VAL_LIST, VOID, VOIDP,
+		BOOL, DOUBLE, EVENT, FUNC, INT, STRING, VAL, WRAPPED_VAL, VAL_LIST, VOID, VOIDP,
 	};
 
 	/**
@@ -208,6 +236,11 @@ public:
 	 */
 	HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
 
+    /**
+     * Constructor with a ValWrapper argument.
+     */
+    HookArgument(ValWrapper* a)   { type = WRAPPED_VAL; arg.wrapper = a; }
+
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
 	 * match accordingly.
@@ -250,6 +283,12 @@ public:
 	 */
 	const Val* AsVal() const	{ assert(type == VAL); return arg.val; }
 
+    /**
+     * Returns the value for a Bro wrapped value argument.  The argument's type must
+     * match accordingly.
+     */
+    const ValWrapper* AsValWrapper() const { assert(type == VAL_WRAPPER); return arg.wrapper; }
+
 	/**
 	 * Returns the value for a list of Bro values argument. The argument's type must
 	 * match accordingly.
@@ -283,6 +322,7 @@ private:
 		const Func* func;
 		int int_;
 		const Val* val;
+        const ValWrapper* wrapper;
 		const val_list* vals;
 		const void* voidp;
 	} arg;
@@ -567,13 +607,14 @@ protected:
 	 * in place as long as it ensures matching types and correct reference
 	 * counting.
 	 *
-	 * @return If the plugin handled the call, a Val with +1 reference
-	 * count containixnmg the result value to pass back to the interpreter
-	 * (for void functions and events any \a Val is fine; it will be
-	 * ignored; best to use a \c TYPE_ANY). If the plugin did not handle
-	 * the call, it must return null.
+	 * @return If the plugin handled the call, a ValWrapper with the
+     * processed flag set to true, and a value set on the object with 
+     * a+1 reference count containing the result value to pass back to the 
+     * interpreter.  If the plugin did not handle the call, it may either
+     * return NULL *or* return a ValWrapper with the processed flag set to
+     * 'false'.
 	 */
-	virtual Val* HookCallFunction(const Func* func, Frame *parent, val_list* args);
+	virtual ValWrapper* HookCallFunction(const Func* func, Frame *parent, val_list* args);
 
 	/**
 	 * Hook into raising events. Whenever the script interpreter is about
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index a9d0a529ba..e5507f5a0e 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -48,7 +48,7 @@ int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
 	return -1;
 	}
 
-Val* Plugin::HookCallFunction(const Func* func, val_list* args)
+Val* Plugin::HookCallFunction(const Func* func, Frame* frame, val_list* args)
 	{
 	ODesc d;
 	d.SetShort();
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index 3bfa66a83f..940e427621 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -11,7 +11,7 @@ class Plugin : public ::plugin::Plugin
 {
 protected:
 	virtual int HookLoadFile(const std::string& file, const std::string& ext);
-	virtual Val* HookCallFunction(const Func* func, val_list* args);
+	virtual Val* HookCallFunction(const Func* func, Frame* frame, val_list* args);
 	virtual bool HookQueueEvent(Event* event);
 	virtual void HookDrainEvents();
 	virtual void HookUpdateNetworkTime(double network_time);

From 70c7258dfaf08729601507774ae4e1a797e43d75 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Thu, 2 Oct 2014 19:23:59 -0400
Subject: [PATCH 005/109] Updating tests and tweaking HookArgument to include
 Frame support.

* Add frame support to HookArgument, since it's a new argument to HookCallFunction
* Fix test in api-version-mismatch to remove absolute paths from output
* Update test plugin to use new HookCallFunction interface
---
 src/plugin/Plugin.cc                          |   42 +-
 src/plugin/Plugin.h                           |   14 +-
 .../plugins.api-version-mismatch/output       |    2 +-
 testing/btest/Baseline/plugins.hooks/output   | 1714 ++++++++---------
 testing/btest/plugins/api-version-mismatch.sh |    1 +
 .../btest/plugins/hooks-plugin/src/Plugin.cc  |    3 +-
 .../btest/plugins/hooks-plugin/src/Plugin.h   |    2 +-
 7 files changed, 879 insertions(+), 899 deletions(-)

diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 8aa528bc3d..1e98532ba6 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -83,6 +83,13 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
+    case FRAME:
+        if ( arg.frame )
+            arg.frame->Describe(d);
+        else
+            d->Add("<null>");
+        break;
+
 	case FUNC:
 		if ( arg.func )
 			d->Add(arg.func->Name());
@@ -106,21 +113,6 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
-    case WRAPPED_VAL:
-        if ( arg.wrapper )
-            {
-            d->Add("wrapped(");
-            if(arg.wrapper->value)
-                {
-                arg.wrapper->value->Describe(d);
-                }
-            else
-                d->Add("<null>");
-            d->Add(")");
-            }
-
-        break;
-
 	case VAL_LIST:
 		if ( arg.vals )
 			{
@@ -139,6 +131,26 @@ void HookArgument::Describe(ODesc* d) const
 	case VOIDP:
 		d->Add("<void ptr>");
 		break;
+    
+    case WRAPPED_VAL:
+        if ( arg.wrapper )
+            {
+            d->Add("wrapped(");
+            if(arg.wrapper->value)
+                {
+                arg.wrapper->value->Describe(d);
+                }
+            else
+                d->Add("<null>");
+            d->Add(")");
+            }
+        else
+            {
+            d->Add("<null>");
+            }
+
+        break;
+
 	}
 	}
 
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 1269cf9a43..65acb37b7a 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -184,7 +184,7 @@ public:
 	 * Type of the argument.
 	 */
 	enum Type {
-		BOOL, DOUBLE, EVENT, FUNC, INT, STRING, VAL, WRAPPED_VAL, VAL_LIST, VOID, VOIDP,
+		BOOL, DOUBLE, EVENT, FRAME, FUNC, INT, STRING, VAL, VAL_LIST, VOID, VOIDP, WRAPPED_VAL
 	};
 
 	/**
@@ -242,6 +242,11 @@ public:
      */
     HookArgument(ValWrapper* a)   { type = WRAPPED_VAL; arg.wrapper = a; }
 
+    /**
+     * Constructor with a Frame argument.
+     */
+    HookArgument(Frame* f)    { type = FRAME; arg.frame = f; }
+
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
 	 * match accordingly.
@@ -290,6 +295,12 @@ public:
      */
     const ValWrapper* AsValWrapper() const { assert(type == VAL_WRAPPER); return arg.wrapper; }
 
+    /**
+     * Returns the value for a Bro frame argument.  The argument's type must
+     * match accordingly.
+     */
+    const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; }
+
 	/**
 	 * Returns the value for a list of Bro values argument. The argument's type must
 	 * match accordingly.
@@ -321,6 +332,7 @@ private:
 		double double_;
 		const Event* event;
 		const Func* func;
+        const Frame* frame;
 		int int_;
 		const Val* val;
         const ValWrapper* wrapper;
diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output
index 806623cd02..fee3c9cd19 100644
--- a/testing/btest/Baseline/plugins.api-version-mismatch/output
+++ b/testing/btest/Baseline/plugins.api-version-mismatch/output
@@ -1 +1 @@
-fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/Demo-Foo.linux-x86_64.so)
+fatal error in XXX line 1: plugin's API version does not match Bro (expected 2, got 42 in XXX
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 83341f3075..1fb647cd94 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -1,317 +1,294 @@
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DHCP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNP3::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DPD::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (FTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Files::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (HTTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (IRC::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Intel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Modbus::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::ALARM_LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (RADIUS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Reporter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SMTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SNMP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SOCKS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSH::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSL::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Signatures::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Software::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Syslog::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Tunnel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Unified2::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Weird::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (X509::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::install, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(bro_init, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(cat, (Packe, t, _, Filter)) -> <null>
-0.000000   MetaHookPost  CallFunction(current_time, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(fmt, (%s, PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(getenv, (CLUSTER_NODE)) -> <null>
-0.000000   MetaHookPost  CallFunction(install_pcap_filter, (PacketFilter::DefaultPcapFilter)) -> <null>
-0.000000   MetaHookPost  CallFunction(network_time, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_live_traffic, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_traces, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> <null>
-0.000000   MetaHookPost  CallFunction(split1, (PacketFilter::LOG, <...>/)) -> <null>
-0.000000   MetaHookPost  CallFunction(split_n, (PacketFilter, <...>/, T, 4)) -> <null>
-0.000000   MetaHookPost  CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, (tFilter, 1, 1)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, (tFilter, 2, 7)) -> <null>
-0.000000   MetaHookPost  CallFunction(to_lower, (Packet_Filter)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_AYIYA5072<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP67<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP68<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP320000<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS137<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5353<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5355<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP21<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP2811<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12123<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12152<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP1080<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP3128<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP631<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8000<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8080<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP80<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP81<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8888<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6666<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6667<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6668<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6669<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MODBUS502<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_RADIUS1812<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP25<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP587<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP161<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP162<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SOCKS1080<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSH22<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL443<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL5223<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL563<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL585<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL614<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL636<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL989<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL990<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL992<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL993<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL995<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SYSLOG514<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_TEREDO3544<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_AYIYA{5072<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DHCP{67<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3{20000<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_FTP{2811<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_GTPV1{2152<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_HTTP{631<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_IRC{6669<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MODBUS{502<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_RADIUS{1812<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SMTP{25<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SNMP{162<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SOCKS{1080<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSH{22<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSL{5223<...>/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SYSLOG{514<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_TEREDO{3544<...>/udp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SMTP, {25<...>/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, frame <nil>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, frame <nil>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <null>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Cluster::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Communication::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Conn::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DHCP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DNP3::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DNS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DPD::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame FTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Files::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame HTTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame IRC::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Intel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Modbus::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Notice::ALARM_LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Notice::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame PacketFilter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame RADIUS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Reporter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SMTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SNMP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SOCKS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SSH::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SSL::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Signatures::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Software::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Syslog::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Tunnel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Unified2::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Weird::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame X509::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__write, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Cluster::LOG, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Communication::LOG, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Conn::LOG, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DHCP::LOG, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DNP3::LOG, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DNS::LOG, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DPD::LOG, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame FTP::LOG, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Files::LOG, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame HTTP::LOG, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame IRC::LOG, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Intel::LOG, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Modbus::LOG, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Notice::ALARM_LOG, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Notice::LOG, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame PacketFilter::LOG, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame RADIUS::LOG, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Reporter::LOG, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SMTP::LOG, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SNMP::LOG, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SOCKS::LOG, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SSH::LOG, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SSL::LOG, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Signatures::LOG, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Software::LOG, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Syslog::LOG, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Tunnel::LOG, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Unified2::LOG, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Weird::LOG, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame X509::LOG, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::write, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Notice::want_pp, frame <nil>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(PacketFilter::build, frame <nil><nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, frame [func=<uninitialized>]ip or not ip<nil><nil><nil>, (ip or not ip, and, )) -> <null>
+0.000000   MetaHookPost  CallFunction(PacketFilter::install, frame <nil>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::STD_DEV, SumStats::VARIANCE)) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::VARIANCE, SumStats::AVERAGE)) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <null>
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, frame <nil>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(bro_init, <null>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(cat, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (Packe, t, _, Filter)) -> <null>
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1412291343.3228235.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1412291343.32282<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip<nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(fmt, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <null>
+0.000000   MetaHookPost  CallFunction(install_pcap_filter, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter)) -> <null>
+0.000000   MetaHookPost  CallFunction(network_time, frame ip or not ip1412291343.3228235.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, frame ip or not ip1412291343.32282<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <null>
+0.000000   MetaHookPost  CallFunction(reading_live_traffic, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(reading_traces, frame , ()) -> <null>
+0.000000   MetaHookPost  CallFunction(reading_traces, frame <nil>, ()) -> <null>
+0.000000   MetaHookPost  CallFunction(reading_traces, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(set_to_regex, frame <nil>, ({}, (^\.?|\.)(~~)$)) -> <null>
+0.000000   MetaHookPost  CallFunction(split1, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/)) -> <null>
+0.000000   MetaHookPost  CallFunction(split_n, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}<nil><nil>, (PacketFilter, <...>/, T, 4)) -> <null>
+0.000000   MetaHookPost  CallFunction(string_to_pattern, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)()$, F)) -> <null>
+0.000000   MetaHookPost  CallFunction(sub, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)(~~)$, <...>/, )) -> <null>
+0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 1, 1)) -> <null>
+0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 2, 7)) -> <null>
+0.000000   MetaHookPost  CallFunction(to_lower, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packet_Filter, (Packet_Filter)) -> <null>
 0.000000   MetaHookPost  DrainEvents() -> <void>
 0.000000   MetaHookPost  LoadFile(../main) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
@@ -521,320 +498,297 @@
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_INTERCONN))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DHCP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DNP3::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DNS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DPD::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (FTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Files::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (HTTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (IRC::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Intel::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Modbus::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Notice::ALARM_LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Notice::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (RADIUS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Reporter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SMTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SNMP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SOCKS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SSH::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SSL::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Signatures::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Software::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Syslog::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Tunnel::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Unified2::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Weird::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (X509::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
-0.000000   MetaHookPre   CallFunction(PacketFilter::install, ())
-0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE))
-0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, ())
-0.000000   MetaHookPre   CallFunction(bro_init, ())
-0.000000   MetaHookPre   CallFunction(cat, (Packe, t, _, Filter))
-0.000000   MetaHookPre   CallFunction(current_time, ())
-0.000000   MetaHookPre   CallFunction(filter_change_tracking, ())
-0.000000   MetaHookPre   CallFunction(fmt, (%s, PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(getenv, (CLUSTER_NODE))
-0.000000   MetaHookPre   CallFunction(install_pcap_filter, (PacketFilter::DefaultPcapFilter))
-0.000000   MetaHookPre   CallFunction(network_time, ())
-0.000000   MetaHookPre   CallFunction(precompile_pcap_filter, (PacketFilter::DefaultPcapFilter, ip or not ip))
-0.000000   MetaHookPre   CallFunction(reading_live_traffic, ())
-0.000000   MetaHookPre   CallFunction(reading_traces, ())
-0.000000   MetaHookPre   CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   CallFunction(split1, (PacketFilter::LOG, <...>/))
-0.000000   MetaHookPre   CallFunction(split_n, (PacketFilter, <...>/, T, 4))
-0.000000   MetaHookPre   CallFunction(string_to_pattern, ((^\.?|\.)()$, F))
-0.000000   MetaHookPre   CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, ))
-0.000000   MetaHookPre   CallFunction(sub_bytes, (tFilter, 1, 1))
-0.000000   MetaHookPre   CallFunction(sub_bytes, (tFilter, 2, 7))
-0.000000   MetaHookPre   CallFunction(to_lower, (Packet_Filter))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_AYIYA5072<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP67<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP68<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP320000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS137<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5353<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5355<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP21<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP2811<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12123<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12152<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP3128<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP631<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP80<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP81<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8888<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6666<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6667<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6668<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6669<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MODBUS502<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_RADIUS1812<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP25<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP587<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP161<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP162<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SOCKS1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSH22<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL443<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL5223<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL563<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL585<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL614<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL636<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL989<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL990<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL992<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL993<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL995<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SYSLOG514<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_TEREDO3544<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_AYIYA{5072<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DHCP{67<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3{20000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_FTP{2811<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_GTPV1{2152<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_HTTP{631<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_IRC{6669<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MODBUS{502<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_RADIUS{1812<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SMTP{25<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SNMP{162<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SOCKS{1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSH{22<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSL{5223<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SYSLOG{514<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_TEREDO{3544<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNP3, {20000/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SMTP, {25<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSH, {22/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
+0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, frame <nil>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Cluster::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Communication::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Conn::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DHCP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DNP3::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DNS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DPD::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame FTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Files::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame HTTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame IRC::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Intel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Modbus::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Notice::ALARM_LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Notice::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame PacketFilter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame RADIUS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Reporter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SMTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SNMP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SOCKS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SSH::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SSL::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Signatures::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Software::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Syslog::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Tunnel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Unified2::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Weird::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame X509::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
+0.000000   MetaHookPre   CallFunction(Log::__write, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Cluster::LOG, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Communication::LOG, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Conn::LOG, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DHCP::LOG, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DNP3::LOG, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DNS::LOG, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DPD::LOG, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame FTP::LOG, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Files::LOG, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame HTTP::LOG, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame IRC::LOG, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Intel::LOG, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Modbus::LOG, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Notice::ALARM_LOG, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Notice::LOG, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame PacketFilter::LOG, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame RADIUS::LOG, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Reporter::LOG, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SMTP::LOG, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SNMP::LOG, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SOCKS::LOG, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SSH::LOG, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SSL::LOG, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Signatures::LOG, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Software::LOG, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Syslog::LOG, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Tunnel::LOG, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Unified2::LOG, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Weird::LOG, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame X509::LOG, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Notice::want_pp, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(PacketFilter::build, frame <nil><nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, frame [func=<uninitialized>]ip or not ip<nil><nil><nil>, (ip or not ip, and, ))
+0.000000   MetaHookPre   CallFunction(PacketFilter::install, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::STD_DEV, SumStats::VARIANCE))
+0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::VARIANCE, SumStats::AVERAGE))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(bro_init, <null>, ())
+0.000000   MetaHookPre   CallFunction(cat, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (Packe, t, _, Filter))
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip1412291343.3228235.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip1412291343.32282<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip<nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+0.000000   MetaHookPre   CallFunction(fmt, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
+0.000000   MetaHookPre   CallFunction(install_pcap_filter, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter))
+0.000000   MetaHookPre   CallFunction(network_time, frame ip or not ip1412291343.3228235.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(precompile_pcap_filter, frame ip or not ip1412291343.32282<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip))
+0.000000   MetaHookPre   CallFunction(reading_live_traffic, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame , ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], ())
+0.000000   MetaHookPre   CallFunction(set_to_regex, frame <nil>, ({}, (^\.?|\.)(~~)$))
+0.000000   MetaHookPre   CallFunction(split1, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/))
+0.000000   MetaHookPre   CallFunction(split_n, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}<nil><nil>, (PacketFilter, <...>/, T, 4))
+0.000000   MetaHookPre   CallFunction(string_to_pattern, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)()$, F))
+0.000000   MetaHookPre   CallFunction(sub, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)(~~)$, <...>/, ))
+0.000000   MetaHookPre   CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 1, 1))
+0.000000   MetaHookPre   CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 2, 7))
+0.000000   MetaHookPre   CallFunction(to_lower, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packet_Filter, (Packet_Filter))
 0.000000   MetaHookPre   DrainEvents()
 0.000000   MetaHookPre   LoadFile(../main)
 0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
@@ -1228,7 +1182,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1319,8 +1273,8 @@
 0.000000 | HookCallFunction Log::create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1409853900.737227, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1367,20 +1321,20 @@
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
 1362692526.869344   MetaHookPost  BroObjDtor(<void ptr>) -> <void>
-1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(net_stats, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ()) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
-1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, ())
-1362692526.869344   MetaHookPre   CallFunction(net_stats, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ())
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
@@ -1397,11 +1351,11 @@
 1362692526.869344 | HookQueueEvent filter_change_tracking()
 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
-1362692526.939084   MetaHookPost  CallFunction(connection_established, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
 1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
-1362692526.939084   MetaHookPre   CallFunction(connection_established, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
 1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
@@ -1415,32 +1369,32 @@
 1362692526.939378   MetaHookPre   UpdateNetworkTime(1362692526.939378)
 1362692526.939378  | HookUpdateNetworkTime 1362692526.939378
 1362692526.939378 | HookDrainEvents
-1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, (Analyzer::ANALYZER_HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, (Analyzer::ANALYZER_HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(fmt, (-%s, HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_request, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(network_time, ()) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(split1, (bro.org, <...>/)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, frame Analyzer::ANALYZER_HTTP, (Analyzer::ANALYZER_HTTP)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3<nil>, (Analyzer::ANALYZER_HTTP)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(fmt, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3HTTP, (-%s, HTTP)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(network_time, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>][ts=<uninitialized>, uid=<uninitialized>, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>], trans_depth=<uninitialized>, method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], ()) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(split1, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
 1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
@@ -1452,32 +1406,32 @@
 1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
-1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
-1362692526.939527   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692526.939527   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692526.939527   MetaHookPre   CallFunction(fmt, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
-1362692526.939527   MetaHookPre   CallFunction(http_request, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692526.939527   MetaHookPre   CallFunction(network_time, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
-1362692526.939527   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
-1362692526.939527   MetaHookPre   CallFunction(split1, (bro.org, <...>/))
+1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, frame Analyzer::ANALYZER_HTTP, (Analyzer::ANALYZER_HTTP))
+1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3<nil>, (Analyzer::ANALYZER_HTTP))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
+1362692526.939527   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692526.939527   MetaHookPre   CallFunction(fmt, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3HTTP, (-%s, HTTP))
+1362692526.939527   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
+1362692526.939527   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692526.939527   MetaHookPre   CallFunction(network_time, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>][ts=<uninitialized>, uid=<uninitialized>, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>], trans_depth=<uninitialized>, method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], ())
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
+1362692526.939527   MetaHookPre   CallFunction(split1, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
 1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
@@ -1532,22 +1486,38 @@
 1362692527.008509   MetaHookPre   UpdateNetworkTime(1362692527.008509)
 1362692527.008509  | HookUpdateNetworkTime 1362692527.008509
 1362692527.008509 | HookDrainEvents
-1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::__add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]1.1200OK[pending={}, current_request=0, current_response=0]<nil>, (200, 100, 199)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(split_all, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
@@ -1560,22 +1530,38 @@
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
-1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(Files::__add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0]))
+1362692527.009512   MetaHookPre   CallFunction(Files::add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]1.1200OK[pending={}, current_request=0, current_response=0]<nil>, (200, 100, 199))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009512   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(split_all, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
@@ -1589,10 +1575,20 @@
 1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
+1362692527.009512 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])
+1362692527.009512 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
@@ -1604,7 +1600,13 @@
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
 1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
+1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009512 | HookCallFunction split_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
@@ -1616,124 +1618,76 @@
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
 1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
-1362692527.009721   MetaHookPost  CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(split_all, (HTTP, <...>/)) -> <null>
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
-1362692527.009721   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009721   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009721   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
-1362692527.009721   MetaHookPre   CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0]))
-1362692527.009721   MetaHookPre   CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
-1362692527.009721   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009721   MetaHookPre   CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009721   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.009721   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009721   MetaHookPre   CallFunction(split_all, (HTTP, <...>/))
 1362692527.009721   MetaHookPre   DrainEvents()
-1362692527.009721   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009721   MetaHookPre   UpdateNetworkTime(1362692527.009721)
 1362692527.009721  | HookUpdateNetworkTime 1362692527.009721
-1362692527.009721 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])
-1362692527.009721 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
-1362692527.009721 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009721 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009721 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
-1362692527.009721 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009721 | HookCallFunction split_all(HTTP, <...>/)
 1362692527.009721 | HookDrainEvents
-1362692527.009721 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009765   MetaHookPost  DrainEvents() -> <void>
 1362692527.009765   MetaHookPost  UpdateNetworkTime(1362692527.009765) -> <void>
 1362692527.009765   MetaHookPre   DrainEvents()
 1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
 1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
 1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::__write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(fmt, (%s, Files::LOG)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(fmt, (%s, HTTP::LOG)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split1, (Files::LOG, <...>/)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split1, (HTTP::LOG, <...>/)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split_n, (Files, <...>/, T, 4)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split_n, (HTTP, <...>/, T, 4)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(to_lower, (Files)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(to_lower, (HTTP)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280], (200, 100, 199)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, <null>, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, <null>, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::write, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]<nil><nil><nil><nil>, (%s, Files::LOG)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]<nil><nil><nil><nil>, (%s, HTTP::LOG)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split1, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split1, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split_n, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/, T, 4)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split_n, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(to_lower, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]Files::LOG{[2] = LOG,[1] = Files}{[1] = Files}Files, (Files)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(to_lower, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]HTTP::LOG{[2] = LOG,[1] = HTTP}{[1] = HTTP}HTTP, (HTTP)) -> <null>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009775   MetaHookPre   CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::__write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(fmt, (%s, Files::LOG))
-1362692527.009775   MetaHookPre   CallFunction(fmt, (%s, HTTP::LOG))
-1362692527.009775   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
-1362692527.009775   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.009775   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(split1, (Files::LOG, <...>/))
-1362692527.009775   MetaHookPre   CallFunction(split1, (HTTP::LOG, <...>/))
-1362692527.009775   MetaHookPre   CallFunction(split_n, (Files, <...>/, T, 4))
-1362692527.009775   MetaHookPre   CallFunction(split_n, (HTTP, <...>/, T, 4))
-1362692527.009775   MetaHookPre   CallFunction(to_lower, (Files))
-1362692527.009775   MetaHookPre   CallFunction(to_lower, (HTTP))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280], (200, 100, 199))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, <null>, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, <null>, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]<nil><nil><nil><nil>, (%s, Files::LOG))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]<nil><nil><nil><nil>, (%s, HTTP::LOG))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009775   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009775   MetaHookPre   CallFunction(split1, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/))
+1362692527.009775   MetaHookPre   CallFunction(split1, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.009775   MetaHookPre   CallFunction(split_n, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/, T, 4))
+1362692527.009775   MetaHookPre   CallFunction(split_n, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4))
+1362692527.009775   MetaHookPre   CallFunction(to_lower, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]Files::LOG{[2] = LOG,[1] = Files}{[1] = Files}Files, (Files))
+1362692527.009775   MetaHookPre   CallFunction(to_lower, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]HTTP::LOG{[2] = LOG,[1] = HTTP}{[1] = HTTP}HTTP, (HTTP))
 1362692527.009775   MetaHookPre   DrainEvents()
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1745,11 +1699,11 @@
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction Log::default_path_func(Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::default_path_func(Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::default_path_func(HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
@@ -1796,33 +1750,33 @@
 1362692527.080828   MetaHookPre   UpdateNetworkTime(1362692527.080828)
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
-1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(bro_done, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(fmt, (%s, Conn::LOG)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, (80/tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, (59856/tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(net_done, (1362692527.080972)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(net_stats, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(reading_traces, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(split1, (Conn::LOG, <...>/)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(split_n, (Conn, <...>/, T, 4)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(sub_bytes, (HTTP, 0, 1)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(to_lower, (Conn)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(to_lower, (HTTP)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::__write, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, <null>, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(fmt, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]<nil><nil><nil><nil>, (%s, Conn::LOG)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(net_done, <null>, (1362692527.080972)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(reading_traces, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]<nil>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(split1, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(split_n, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(sub_bytes, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTP, (HTTP, 0, 1)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(to_lower, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]Conn::LOG{[2] = LOG,[1] = Conn}{[1] = Conn}Conn, (Conn)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(to_lower, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTPHTTP, (HTTP)) -> <null>
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
@@ -1830,33 +1784,33 @@
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
-1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(bro_done, ())
-1362692527.080972   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, ())
-1362692527.080972   MetaHookPre   CallFunction(fmt, (%s, Conn::LOG))
-1362692527.080972   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, (80/tcp))
-1362692527.080972   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, (59856/tcp))
-1362692527.080972   MetaHookPre   CallFunction(net_done, (1362692527.080972))
-1362692527.080972   MetaHookPre   CallFunction(net_stats, ())
-1362692527.080972   MetaHookPre   CallFunction(reading_traces, ())
-1362692527.080972   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(split1, (Conn::LOG, <...>/))
-1362692527.080972   MetaHookPre   CallFunction(split_n, (Conn, <...>/, T, 4))
-1362692527.080972   MetaHookPre   CallFunction(sub_bytes, (HTTP, 0, 1))
-1362692527.080972   MetaHookPre   CallFunction(to_lower, (Conn))
-1362692527.080972   MetaHookPre   CallFunction(to_lower, (HTTP))
+1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(Log::__write, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, <null>, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(fmt, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]<nil><nil><nil><nil>, (%s, Conn::LOG))
+1362692527.080972   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(net_done, <null>, (1362692527.080972))
+1362692527.080972   MetaHookPre   CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ())
+1362692527.080972   MetaHookPre   CallFunction(reading_traces, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]<nil>, ())
+1362692527.080972   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.080972   MetaHookPre   CallFunction(split1, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.080972   MetaHookPre   CallFunction(split_n, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4))
+1362692527.080972   MetaHookPre   CallFunction(sub_bytes, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTP, (HTTP, 0, 1))
+1362692527.080972   MetaHookPre   CallFunction(to_lower, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]Conn::LOG{[2] = LOG,[1] = Conn}{[1] = Conn}Conn, (Conn))
+1362692527.080972   MetaHookPre   CallFunction(to_lower, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTPHTTP, (HTTP))
 1362692527.080972   MetaHookPre   DrainEvents()
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh
index f8d88b4fc4..4bd0f1078f 100644
--- a/testing/btest/plugins/api-version-mismatch.sh
+++ b/testing/btest/plugins/api-version-mismatch.sh
@@ -2,6 +2,7 @@
 # @TEST-EXEC: bash %INPUT
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output 2>&1
+# @TEST-EXEC: cat output | sed 's/\/[^ ]*/XXX/g' > output.2 && mv -f output.2 output
 # @TEST-EXEC: btest-diff output
 
 ( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index e5507f5a0e..1361f8eeca 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -5,6 +5,7 @@
 #include <Event.h>
 
 namespace plugin { namespace Demo_Hooks { Plugin plugin; } }
+using plugin::ValWrapper;
 
 using namespace plugin::Demo_Hooks;
 
@@ -48,7 +49,7 @@ int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
 	return -1;
 	}
 
-Val* Plugin::HookCallFunction(const Func* func, Frame* frame, val_list* args)
+ValWrapper* Plugin::HookCallFunction(const Func* func, Frame* frame, val_list* args)
 	{
 	ODesc d;
 	d.SetShort();
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index 940e427621..8cbf1d0e5b 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -11,7 +11,7 @@ class Plugin : public ::plugin::Plugin
 {
 protected:
 	virtual int HookLoadFile(const std::string& file, const std::string& ext);
-	virtual Val* HookCallFunction(const Func* func, Frame* frame, val_list* args);
+	virtual plugin::ValWrapper* HookCallFunction(const Func* func, Frame* frame, val_list* args);
 	virtual bool HookQueueEvent(Event* event);
 	virtual void HookDrainEvents();
 	virtual void HookUpdateNetworkTime(double network_time);

From 619062fb5535e9c454628df633eb4400587c13f2 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Thu, 2 Oct 2014 20:25:47 -0400
Subject: [PATCH 006/109] Fixing logic errors in HandlePluginResult

---
 src/Func.cc | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/Func.cc b/src/Func.cc
index 547af2c6ce..409bdcae25 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -289,11 +289,14 @@ ValWrapper* Func::HandlePluginResult(ValWrapper* plugin_result, val_list* args,
 
 		if ( (! yt) || yt->Tag() == TYPE_VOID )
 			{
-            char sbuf[1024];
-            snprintf(sbuf, 1024, "plugin returned non-void result for void method %s", this->Name());
-			reporter->InternalError(sbuf);
+            if(plugin_result && plugin_result->value)
+                {
+                char sbuf[1024];
+                snprintf(sbuf, 1024, "plugin returned non-void result for void method %s", this->Name());
+			    reporter->InternalError(sbuf);
+                }
             }
-		else if ( plugin_result->value->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
+		else if ( plugin_result->value && plugin_result->value->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
 			{
             char sbuf[1024];
             snprintf(sbuf, 1024, "plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->value->Type()->Tag(), yt->Tag(), this->Name());

From be5cb549a9b1d832b0b462fe460dfc24697227c7 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Tue, 7 Oct 2014 22:11:41 -0400
Subject: [PATCH 007/109] Re-updating plugin.hooks test to include new argument
 output (after merge).

---
 testing/btest/Baseline/plugins.hooks/output | 1912 +++++++++++++++----
 1 file changed, 1580 insertions(+), 332 deletions(-)

diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index c6713eb6a7..4724e9fb9f 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -155,7 +155,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__write, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG)) -> <null>
@@ -246,8 +246,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::write, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, frame <nil>, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, frame <nil><nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, frame [func=<uninitialized>]ip or not ip<nil><nil><nil>, (ip or not ip, and, )) -> <null>
@@ -267,340 +267,1588 @@
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <null>
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, frame <nil>, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(bro_init, <null>, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(cat, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (Packe, t, _, Filter)) -> <null>
-0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1412291343.3228235.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ()) -> <null>
-0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1412291343.32282<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(cat, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (Packe, t, _, Filter)) -> <null>
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1412734245.30831964.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1412734245.308319<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
 0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip<nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
 0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(fmt, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG)) -> <null>
+0.000000   MetaHookPost  CallFunction(fmt, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <null>
-0.000000   MetaHookPost  CallFunction(install_pcap_filter, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter)) -> <null>
-0.000000   MetaHookPost  CallFunction(network_time, frame ip or not ip1412291343.3228235.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
-0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, frame ip or not ip1412291343.32282<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_live_traffic, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(install_pcap_filter, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter)) -> <null>
+0.000000   MetaHookPost  CallFunction(network_time, frame ip or not ip1412734245.30831964.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, frame ip or not ip1412734245.308319<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <null>
+0.000000   MetaHookPost  CallFunction(reading_live_traffic, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], ()) -> <null>
 0.000000   MetaHookPost  CallFunction(reading_traces, frame , ()) -> <null>
 0.000000   MetaHookPost  CallFunction(reading_traces, frame <nil>, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_traces, frame ip or not ip1412291343.3228235.0 usecs[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T], ()) -> <null>
+0.000000   MetaHookPost  CallFunction(reading_traces, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], ()) -> <null>
 0.000000   MetaHookPost  CallFunction(set_to_regex, frame <nil>, ({}, (^\.?|\.)(~~)$)) -> <null>
-0.000000   MetaHookPost  CallFunction(split1, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/)) -> <null>
-0.000000   MetaHookPost  CallFunction(split_n, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}<nil><nil>, (PacketFilter, <...>/, T, 4)) -> <null>
+0.000000   MetaHookPost  CallFunction(split1, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/)) -> <null>
+0.000000   MetaHookPost  CallFunction(split_n, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}<nil><nil>, (PacketFilter, <...>/, T, 4)) -> <null>
 0.000000   MetaHookPost  CallFunction(string_to_pattern, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)()$, F)) -> <null>
 0.000000   MetaHookPost  CallFunction(sub, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)(~~)$, <...>/, )) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 1, 1)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 2, 7)) -> <null>
-0.000000   MetaHookPost  CallFunction(to_lower, frame PacketFilter::LOG[ts=1412291343.322872, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packet_Filter, (Packet_Filter)) -> <null>
-=======
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DHCP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNP3::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DPD::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (FTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Files::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (HTTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (IRC::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Intel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Modbus::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::ALARM_LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (RADIUS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Reporter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SMTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SNMP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SOCKS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSH::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSL::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Signatures::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Software::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Syslog::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Tunnel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Unified2::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Weird::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (X509::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::install, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(bro_init, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(cat, (Packe, t, _, Filter)) -> <null>
-0.000000   MetaHookPost  CallFunction(current_time, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(fmt, (%s, PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(getenv, (CLUSTER_NODE)) -> <null>
-0.000000   MetaHookPost  CallFunction(install_pcap_filter, (PacketFilter::DefaultPcapFilter)) -> <null>
-0.000000   MetaHookPost  CallFunction(network_time, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_live_traffic, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_traces, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> <null>
-0.000000   MetaHookPost  CallFunction(split1, (PacketFilter::LOG, <...>/)) -> <null>
-0.000000   MetaHookPost  CallFunction(split_n, (PacketFilter, <...>/, T, 4)) -> <null>
-0.000000   MetaHookPost  CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, (tFilter, 1, 1)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, (tFilter, 2, 7)) -> <null>
-0.000000   MetaHookPost  CallFunction(to_lower, (Packet_Filter)) -> <null>
+0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 1, 1)) -> <null>
+0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 2, 7)) -> <null>
+0.000000   MetaHookPost  CallFunction(to_lower, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packet_Filter, (Packet_Filter)) -> <null>
+0.000000   MetaHookPost  DrainEvents() -> <void>
+0.000000   MetaHookPost  LoadFile(../main) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_BinaryReader.binary.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_DHCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_DNP3.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_DNS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_FTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_FTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_File.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Finger.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_ICMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_IRC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Ident.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_InterConn.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Login.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Login.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_MIME.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Modbus.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NetFlow.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SMB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SMTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SNMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SNMP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SOCKS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SSH.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SSL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Syslog.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_TCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_TCP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Teredo.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_UDP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Unified2.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_Unified2.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./addrs) -> -1
+0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./average) -> -1
+0.000000   MetaHookPost  LoadFile(./bloom-filter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./bro.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./broxygen.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./consts) -> -1
+0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./contents) -> -1
+0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
+0.000000   MetaHookPost  LoadFile(./entities) -> -1
+0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./exec) -> -1
+0.000000   MetaHookPost  LoadFile(./file_analysis.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./files) -> -1
+0.000000   MetaHookPost  LoadFile(./gridftp) -> -1
+0.000000   MetaHookPost  LoadFile(./hll_unique) -> -1
+0.000000   MetaHookPost  LoadFile(./hooks.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./inactivity) -> -1
+0.000000   MetaHookPost  LoadFile(./info) -> -1
+0.000000   MetaHookPost  LoadFile(./init.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./input) -> -1
+0.000000   MetaHookPost  LoadFile(./input.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./last) -> -1
+0.000000   MetaHookPost  LoadFile(./logging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./magic) -> -1
+0.000000   MetaHookPost  LoadFile(./main) -> -1
+0.000000   MetaHookPost  LoadFile(./main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./max) -> -1
+0.000000   MetaHookPost  LoadFile(./min) -> -1
+0.000000   MetaHookPost  LoadFile(./mozilla-ca-list) -> -1
+0.000000   MetaHookPost  LoadFile(./netstats) -> -1
+0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
+0.000000   MetaHookPost  LoadFile(./patterns) -> -1
+0.000000   MetaHookPost  LoadFile(./pcap.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./plugins) -> -1
+0.000000   MetaHookPost  LoadFile(./polling) -> -1
+0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
+0.000000   MetaHookPost  LoadFile(./reporter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./sample) -> -1
+0.000000   MetaHookPost  LoadFile(./scp) -> -1
+0.000000   MetaHookPost  LoadFile(./sftp) -> -1
+0.000000   MetaHookPost  LoadFile(./site) -> -1
+0.000000   MetaHookPost  LoadFile(./std-dev) -> -1
+0.000000   MetaHookPost  LoadFile(./strings.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./sum) -> -1
+0.000000   MetaHookPost  LoadFile(./top-k.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./topk) -> -1
+0.000000   MetaHookPost  LoadFile(./types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./unique) -> -1
+0.000000   MetaHookPost  LoadFile(./utils) -> -1
+0.000000   MetaHookPost  LoadFile(./utils-commands) -> -1
+0.000000   MetaHookPost  LoadFile(./utils.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./variance) -> -1
+0.000000   MetaHookPost  LoadFile(./weird) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/add-geodata) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/ascii) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/benchmark) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/binary) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/drop) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/email_admin) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/hostnames) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/none) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/page) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/pp-alarms) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/raw) -> -1
+0.000000   MetaHookPost  LoadFile(.<...>/sqlite) -> -1
+0.000000   MetaHookPost  LoadFile(<...>/__load__.bro) -> -1
+0.000000   MetaHookPost  LoadFile(<...>/hooks.bro) -> -1
+0.000000   MetaHookPost  LoadFile(base/bif) -> -1
+0.000000   MetaHookPost  LoadFile(base/init-default.bro) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/Bro_SNMP.types.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/active-http) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/addrs) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/analyzer) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/analyzer.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/const.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/control) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/dhcp) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/dir) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/directions-and-hosts) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/dnp3) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/dns) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/dpd) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/event.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/exec) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/extract) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/file_analysis.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/files) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/find-checksum-offloading) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/find-filtered-trace) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/ftp) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/hash) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/http) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/input) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/input.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/intel) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/irc) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/logging) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/logging.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/main) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/modbus) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/notice) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/numbers) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/packet-filter) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/paths) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/patterns) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/plugins) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/pop3) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/queue) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/radius) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/reporter) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/reporter.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/signatures) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/site) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/smtp) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/snmp) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/socks) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/software) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/ssh) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/strings) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/strings.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/sumstats) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/syslog) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/thresholds) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/time) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/tunnels) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/types.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/unified2) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/urls) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/utils) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
+0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
+0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_AYIYA5072<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP67<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP68<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP320000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS137<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5353<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5355<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP21<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP2811<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12123<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12152<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP3128<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP631<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP80<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP81<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8888<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6666<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6667<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6668<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6669<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MODBUS502<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_RADIUS1812<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP25<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP587<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP161<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP162<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SOCKS1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSH22<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL443<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL5223<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL563<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL585<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL614<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL636<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL989<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL990<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL992<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL993<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL995<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SYSLOG514<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_TEREDO3544<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_AYIYA{5072<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DHCP{67<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3{20000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_FTP{2811<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_GTPV1{2152<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_HTTP{631<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_IRC{6669<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MODBUS{502<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_RADIUS{1812<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SMTP{25<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SNMP{162<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SOCKS{1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSH{22<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSL{5223<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SYSLOG{514<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_TEREDO{3544<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNP3, {20000/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SMTP, {25<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSH, {22/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
+0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, frame <nil>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Cluster::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Communication::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Conn::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DHCP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DNP3::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DNS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DPD::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame FTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Files::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame HTTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame IRC::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Intel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Modbus::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Notice::ALARM_LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Notice::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame PacketFilter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame RADIUS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Reporter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SMTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SNMP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SOCKS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SSH::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SSL::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Signatures::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Software::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Syslog::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Tunnel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Unified2::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Weird::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame X509::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
+0.000000   MetaHookPre   CallFunction(Log::__write, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Cluster::LOG, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Communication::LOG, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Conn::LOG, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DHCP::LOG, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DNP3::LOG, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DNS::LOG, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DPD::LOG, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame FTP::LOG, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Files::LOG, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame HTTP::LOG, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame IRC::LOG, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Intel::LOG, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Modbus::LOG, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Notice::ALARM_LOG, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Notice::LOG, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame PacketFilter::LOG, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame RADIUS::LOG, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Reporter::LOG, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SMTP::LOG, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SNMP::LOG, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SOCKS::LOG, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SSH::LOG, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SSL::LOG, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Signatures::LOG, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Software::LOG, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Syslog::LOG, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Tunnel::LOG, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Unified2::LOG, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Weird::LOG, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame X509::LOG, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Notice::want_pp, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(PacketFilter::build, frame <nil><nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, frame [func=<uninitialized>]ip or not ip<nil><nil><nil>, (ip or not ip, and, ))
+0.000000   MetaHookPre   CallFunction(PacketFilter::install, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::STD_DEV, SumStats::VARIANCE))
+0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::VARIANCE, SumStats::AVERAGE))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(bro_init, <null>, ())
+0.000000   MetaHookPre   CallFunction(cat, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (Packe, t, _, Filter))
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip1412734245.30831964.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip1412734245.308319<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip<nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+0.000000   MetaHookPre   CallFunction(fmt, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
+0.000000   MetaHookPre   CallFunction(install_pcap_filter, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter))
+0.000000   MetaHookPre   CallFunction(network_time, frame ip or not ip1412734245.30831964.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(precompile_pcap_filter, frame ip or not ip1412734245.308319<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip))
+0.000000   MetaHookPre   CallFunction(reading_live_traffic, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame , ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame ip or not ip1412734245.30831964.0 usecs[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T], ())
+0.000000   MetaHookPre   CallFunction(set_to_regex, frame <nil>, ({}, (^\.?|\.)(~~)$))
+0.000000   MetaHookPre   CallFunction(split1, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/))
+0.000000   MetaHookPre   CallFunction(split_n, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}<nil><nil>, (PacketFilter, <...>/, T, 4))
+0.000000   MetaHookPre   CallFunction(string_to_pattern, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)()$, F))
+0.000000   MetaHookPre   CallFunction(sub, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)(~~)$, <...>/, ))
+0.000000   MetaHookPre   CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 1, 1))
+0.000000   MetaHookPre   CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packe, (tFilter, 2, 7))
+0.000000   MetaHookPre   CallFunction(to_lower, frame PacketFilter::LOG[ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG{[2] = LOG,[1] = PacketFilter}{[2] = tFilter,[1] = Packe,[3] = }Packet_Filter, (Packet_Filter))
+0.000000   MetaHookPre   DrainEvents()
+0.000000   MetaHookPre   LoadFile(../main)
+0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_BinaryReader.binary.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_BitTorrent.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_DHCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_DNP3.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_DNS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_FTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_FTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_File.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Finger.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_GTPv1.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Gnutella.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_HTTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_ICMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_IRC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Ident.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_InterConn.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Login.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Login.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_MIME.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Modbus.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NetFlow.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_RawReader.raw.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SMB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SMTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SMTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SNMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SNMP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SOCKS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SQLiteReader.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SSH.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SSL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SteppingStone.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Syslog.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_TCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_TCP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Teredo.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_UDP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Unified2.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_Unified2.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./addrs)
+0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
+0.000000   MetaHookPre   LoadFile(./average)
+0.000000   MetaHookPre   LoadFile(./bloom-filter.bif.bro)
+0.000000   MetaHookPre   LoadFile(./bro.bif.bro)
+0.000000   MetaHookPre   LoadFile(./broxygen.bif.bro)
+0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
+0.000000   MetaHookPre   LoadFile(./const.bif.bro)
+0.000000   MetaHookPre   LoadFile(./consts)
+0.000000   MetaHookPre   LoadFile(./consts.bro)
+0.000000   MetaHookPre   LoadFile(./contents)
+0.000000   MetaHookPre   LoadFile(./dcc-send)
+0.000000   MetaHookPre   LoadFile(./entities)
+0.000000   MetaHookPre   LoadFile(./event.bif.bro)
+0.000000   MetaHookPre   LoadFile(./exec)
+0.000000   MetaHookPre   LoadFile(./file_analysis.bif.bro)
+0.000000   MetaHookPre   LoadFile(./files)
+0.000000   MetaHookPre   LoadFile(./gridftp)
+0.000000   MetaHookPre   LoadFile(./hll_unique)
+0.000000   MetaHookPre   LoadFile(./hooks.bif.bro)
+0.000000   MetaHookPre   LoadFile(./inactivity)
+0.000000   MetaHookPre   LoadFile(./info)
+0.000000   MetaHookPre   LoadFile(./init.bro)
+0.000000   MetaHookPre   LoadFile(./input)
+0.000000   MetaHookPre   LoadFile(./input.bif.bro)
+0.000000   MetaHookPre   LoadFile(./last)
+0.000000   MetaHookPre   LoadFile(./logging.bif.bro)
+0.000000   MetaHookPre   LoadFile(./magic)
+0.000000   MetaHookPre   LoadFile(./main)
+0.000000   MetaHookPre   LoadFile(./main.bro)
+0.000000   MetaHookPre   LoadFile(./max)
+0.000000   MetaHookPre   LoadFile(./min)
+0.000000   MetaHookPre   LoadFile(./mozilla-ca-list)
+0.000000   MetaHookPre   LoadFile(./netstats)
+0.000000   MetaHookPre   LoadFile(./non-cluster)
+0.000000   MetaHookPre   LoadFile(./patterns)
+0.000000   MetaHookPre   LoadFile(./pcap.bif.bro)
+0.000000   MetaHookPre   LoadFile(./plugins)
+0.000000   MetaHookPre   LoadFile(./polling)
+0.000000   MetaHookPre   LoadFile(./postprocessors)
+0.000000   MetaHookPre   LoadFile(./reporter.bif.bro)
+0.000000   MetaHookPre   LoadFile(./sample)
+0.000000   MetaHookPre   LoadFile(./scp)
+0.000000   MetaHookPre   LoadFile(./sftp)
+0.000000   MetaHookPre   LoadFile(./site)
+0.000000   MetaHookPre   LoadFile(./std-dev)
+0.000000   MetaHookPre   LoadFile(./strings.bif.bro)
+0.000000   MetaHookPre   LoadFile(./sum)
+0.000000   MetaHookPre   LoadFile(./top-k.bif.bro)
+0.000000   MetaHookPre   LoadFile(./topk)
+0.000000   MetaHookPre   LoadFile(./types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./unique)
+0.000000   MetaHookPre   LoadFile(./utils)
+0.000000   MetaHookPre   LoadFile(./utils-commands)
+0.000000   MetaHookPre   LoadFile(./utils.bro)
+0.000000   MetaHookPre   LoadFile(./variance)
+0.000000   MetaHookPre   LoadFile(./weird)
+0.000000   MetaHookPre   LoadFile(.<...>/add-geodata)
+0.000000   MetaHookPre   LoadFile(.<...>/ascii)
+0.000000   MetaHookPre   LoadFile(.<...>/benchmark)
+0.000000   MetaHookPre   LoadFile(.<...>/binary)
+0.000000   MetaHookPre   LoadFile(.<...>/drop)
+0.000000   MetaHookPre   LoadFile(.<...>/email_admin)
+0.000000   MetaHookPre   LoadFile(.<...>/hostnames)
+0.000000   MetaHookPre   LoadFile(.<...>/none)
+0.000000   MetaHookPre   LoadFile(.<...>/page)
+0.000000   MetaHookPre   LoadFile(.<...>/pp-alarms)
+0.000000   MetaHookPre   LoadFile(.<...>/raw)
+0.000000   MetaHookPre   LoadFile(.<...>/sqlite)
+0.000000   MetaHookPre   LoadFile(<...>/__load__.bro)
+0.000000   MetaHookPre   LoadFile(<...>/hooks.bro)
+0.000000   MetaHookPre   LoadFile(base/bif)
+0.000000   MetaHookPre   LoadFile(base/init-default.bro)
+0.000000   MetaHookPre   LoadFile(base<...>/Bro_SNMP.types.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/active-http)
+0.000000   MetaHookPre   LoadFile(base<...>/addrs)
+0.000000   MetaHookPre   LoadFile(base<...>/analyzer)
+0.000000   MetaHookPre   LoadFile(base<...>/analyzer.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(base<...>/communication)
+0.000000   MetaHookPre   LoadFile(base<...>/conn)
+0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
+0.000000   MetaHookPre   LoadFile(base<...>/const.bif.bro)
+0.000000   MetaHookPre   LoadFile(base<...>/control)
+0.000000   MetaHookPre   LoadFile(base<...>/dhcp)
+0.000000   MetaHookPre   LoadFile(base<...>/dir)
+0.000000   MetaHookPre   LoadFile(base<...>/directions-and-hosts)
+0.000000   MetaHookPre   LoadFile(base<...>/dnp3)
+0.000000   MetaHookPre   LoadFile(base<...>/dns)
+0.000000   MetaHookPre   LoadFile(base<...>/dpd)
+0.000000   MetaHookPre   LoadFile(base<...>/event.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/exec)
+0.000000   MetaHookPre   LoadFile(base<...>/extract)
+0.000000   MetaHookPre   LoadFile(base<...>/file_analysis.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/files)
+0.000000   MetaHookPre   LoadFile(base<...>/find-checksum-offloading)
+0.000000   MetaHookPre   LoadFile(base<...>/find-filtered-trace)
+0.000000   MetaHookPre   LoadFile(base<...>/ftp)
+0.000000   MetaHookPre   LoadFile(base<...>/hash)
+0.000000   MetaHookPre   LoadFile(base<...>/http)
+0.000000   MetaHookPre   LoadFile(base<...>/input)
+0.000000   MetaHookPre   LoadFile(base<...>/input.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/intel)
+0.000000   MetaHookPre   LoadFile(base<...>/irc)
+0.000000   MetaHookPre   LoadFile(base<...>/logging)
+0.000000   MetaHookPre   LoadFile(base<...>/logging.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/main)
+0.000000   MetaHookPre   LoadFile(base<...>/modbus)
+0.000000   MetaHookPre   LoadFile(base<...>/notice)
+0.000000   MetaHookPre   LoadFile(base<...>/numbers)
+0.000000   MetaHookPre   LoadFile(base<...>/packet-filter)
+0.000000   MetaHookPre   LoadFile(base<...>/paths)
+0.000000   MetaHookPre   LoadFile(base<...>/patterns)
+0.000000   MetaHookPre   LoadFile(base<...>/plugins)
+0.000000   MetaHookPre   LoadFile(base<...>/pop3)
+0.000000   MetaHookPre   LoadFile(base<...>/queue)
+0.000000   MetaHookPre   LoadFile(base<...>/radius)
+0.000000   MetaHookPre   LoadFile(base<...>/reporter)
+0.000000   MetaHookPre   LoadFile(base<...>/reporter.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/signatures)
+0.000000   MetaHookPre   LoadFile(base<...>/site)
+0.000000   MetaHookPre   LoadFile(base<...>/smtp)
+0.000000   MetaHookPre   LoadFile(base<...>/snmp)
+0.000000   MetaHookPre   LoadFile(base<...>/socks)
+0.000000   MetaHookPre   LoadFile(base<...>/software)
+0.000000   MetaHookPre   LoadFile(base<...>/ssh)
+0.000000   MetaHookPre   LoadFile(base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(base<...>/strings)
+0.000000   MetaHookPre   LoadFile(base<...>/strings.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/sumstats)
+0.000000   MetaHookPre   LoadFile(base<...>/syslog)
+0.000000   MetaHookPre   LoadFile(base<...>/thresholds)
+0.000000   MetaHookPre   LoadFile(base<...>/time)
+0.000000   MetaHookPre   LoadFile(base<...>/tunnels)
+0.000000   MetaHookPre   LoadFile(base<...>/types.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/unified2)
+0.000000   MetaHookPre   LoadFile(base<...>/urls)
+0.000000   MetaHookPre   LoadFile(base<...>/utils)
+0.000000   MetaHookPre   LoadFile(base<...>/x509)
+0.000000   MetaHookPre   QueueEvent(bro_init())
+0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
+0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
+0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_INTERCONN)
+0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
+0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 80/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8000/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6669/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MODBUS, 502/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SNMP, 162/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SOCKS, 1080/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSH, 22/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 443/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 5223/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 563/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 585/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 614/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 636/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 989/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 990/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 992/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
+0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN)
+0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
+0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 80/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8000/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6669/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_MODBUS, 502/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SNMP, 162/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SOCKS, 1080/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 22/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 443/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 5223/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 563/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 585/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 614/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 636/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 989/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 990/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 992/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, {20000/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5355<...>/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {631<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6669<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, {502/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, {1812/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, {25<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, {162<...>/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, {1080/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, {22/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
+0.000000 | HookCallFunction Cluster::is_enabled()
+0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])
+0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])
+0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])
+0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])
+0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])
+0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=<no value description>, ev=Files::log_files])
+0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])
+0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])
+0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])
+0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])
+0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])
+0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])
+0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])
+0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])
+0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])
+0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])
+0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])
+0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])
+0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=<no value description>, ev=Software::log_software])
+0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::__create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
+0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
+0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(DHCP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(DNP3::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(DNS::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(DPD::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(FTP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Files::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(HTTP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(IRC::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Intel::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(PacketFilter::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(RADIUS::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SNMP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SOCKS::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SSH::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SSL::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Signatures::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Software::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Syslog::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Tunnel::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Unified2::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Weird::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(X509::LOG)
+0.000000 | HookCallFunction Log::add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])
+0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])
+0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])
+0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])
+0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])
+0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=<no value description>, ev=Files::log_files])
+0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])
+0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])
+0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])
+0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])
+0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])
+0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])
+0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])
+0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])
+0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])
+0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])
+0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])
+0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])
+0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=<no value description>, ev=Software::log_software])
+0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])
+0.000000 | HookCallFunction Log::create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
+0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
+0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1412734245.308401, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Notice::want_pp()
+0.000000 | HookCallFunction PacketFilter::build()
+0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
+0.000000 | HookCallFunction PacketFilter::install()
+0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::STD_DEV, SumStats::VARIANCE)
+0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::VARIANCE, SumStats::AVERAGE)
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})
+0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})
+0.000000 | HookCallFunction SumStats::register_observe_plugins()
+0.000000 | HookCallFunction bro_init()
+0.000000 | HookCallFunction cat(Packe, t, _, Filter)
+0.000000 | HookCallFunction current_time()
+0.000000 | HookCallFunction filter_change_tracking()
+0.000000 | HookCallFunction fmt(%s, PacketFilter::LOG)
+0.000000 | HookCallFunction getenv(CLUSTER_NODE)
+0.000000 | HookCallFunction install_pcap_filter(PacketFilter::DefaultPcapFilter)
+0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip)
+0.000000 | HookCallFunction reading_live_traffic()
+0.000000 | HookCallFunction reading_traces()
+0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
+0.000000 | HookCallFunction split1(PacketFilter::LOG, <...>/)
+0.000000 | HookCallFunction split_n(PacketFilter, <...>/, T, 4)
+0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
+0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
+0.000000 | HookCallFunction sub_bytes(tFilter, 1, 1)
+0.000000 | HookCallFunction sub_bytes(tFilter, 2, 7)
+0.000000 | HookCallFunction to_lower(Packet_Filter)
+0.000000 | HookDrainEvents
+0.000000 | HookLoadFile  ..<...>/bro
+0.000000 | HookLoadFile  .<...>/bro
+0.000000 | HookLoadFile  <...>/bro
+0.000000 | HookLoadFile  base<...>/bif
+0.000000 | HookLoadFile  base<...>/bro
+0.000000 | HookQueueEvent bro_init()
+0.000000 | HookQueueEvent filter_change_tracking()
+1362692526.869344   MetaHookPost  BroObjDtor(<void ptr>) -> <void>
+1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ()) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.869344   MetaHookPost  DrainEvents() -> <void>
+1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
+1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
+1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
+1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
+1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ())
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   DrainEvents()
+1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
+1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
+1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
+1362692526.869344  | HookBroObjDtor
+1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
+1362692526.869344 | HookCallFunction ChecksumOffloading::check()
+1362692526.869344 | HookCallFunction filter_change_tracking()
+1362692526.869344 | HookCallFunction net_stats()
+1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookDrainEvents
+1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
+1362692526.869344 | HookQueueEvent filter_change_tracking()
+1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.939084   MetaHookPost  DrainEvents() -> <void>
+1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   DrainEvents()
+1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
+1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
+1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookDrainEvents
+1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939378   MetaHookPost  DrainEvents() -> <void>
+1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
+1362692526.939378   MetaHookPre   DrainEvents()
+1362692526.939378   MetaHookPre   UpdateNetworkTime(1362692526.939378)
+1362692526.939378  | HookUpdateNetworkTime 1362692526.939378
+1362692526.939378 | HookDrainEvents
+1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, frame Analyzer::ANALYZER_HTTP, (Analyzer::ANALYZER_HTTP)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3<nil>, (Analyzer::ANALYZER_HTTP)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(fmt, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3HTTP, (-%s, HTTP)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(network_time, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>][ts=<uninitialized>, uid=<uninitialized>, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>], trans_depth=<uninitialized>, method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], ()) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(split1, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
+1362692526.939527   MetaHookPost  DrainEvents() -> <void>
+1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
+1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
+1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, frame Analyzer::ANALYZER_HTTP, (Analyzer::ANALYZER_HTTP))
+1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3<nil>, (Analyzer::ANALYZER_HTTP))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
+1362692526.939527   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692526.939527   MetaHookPre   CallFunction(fmt, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3HTTP, (-%s, HTTP))
+1362692526.939527   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
+1362692526.939527   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692526.939527   MetaHookPre   CallFunction(network_time, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>][ts=<uninitialized>, uid=<uninitialized>, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>], trans_depth=<uninitialized>, method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], ())
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
+1362692526.939527   MetaHookPre   CallFunction(split1, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692526.939527   MetaHookPre   DrainEvents()
+1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
+1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
+1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
+1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
+1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)
+1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
+1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
+1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
+1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
+1362692526.939527 | HookCallFunction network_time()
+1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
+1362692526.939527 | HookCallFunction split1(bro.org, <...>/)
+1362692526.939527 | HookDrainEvents
+1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
+1362692527.008509   MetaHookPost  DrainEvents() -> <void>
+1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
+1362692527.008509   MetaHookPre   DrainEvents()
+1362692527.008509   MetaHookPre   UpdateNetworkTime(1362692527.008509)
+1362692527.008509  | HookUpdateNetworkTime 1362692527.008509
+1362692527.008509 | HookDrainEvents
+1362692527.009512   MetaHookPost  CallFunction(Files::__add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]1.1200OK[pending={}, current_request=0, current_response=0]<nil>, (200, 100, 199)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(split_all, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
+1362692527.009512   MetaHookPost  DrainEvents() -> <void>
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
+1362692527.009512   MetaHookPre   CallFunction(Files::__add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0]))
+1362692527.009512   MetaHookPre   CallFunction(Files::add_analyzers_for_mime_type, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]1.1200OK[pending={}, current_request=0, current_response=0]<nil>, (200, 100, 199))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009512   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(split_all, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.009512   MetaHookPre   DrainEvents()
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
+1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
+1362692527.009512 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])
+1362692527.009512 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
+1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009512 | HookCallFunction split_all(HTTP, <...>/)
+1362692527.009512 | HookDrainEvents
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009721   MetaHookPost  DrainEvents() -> <void>
+1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
+1362692527.009721   MetaHookPre   DrainEvents()
+1362692527.009721   MetaHookPre   UpdateNetworkTime(1362692527.009721)
+1362692527.009721  | HookUpdateNetworkTime 1362692527.009721
+1362692527.009721 | HookDrainEvents
+1362692527.009765   MetaHookPost  DrainEvents() -> <void>
+1362692527.009765   MetaHookPost  UpdateNetworkTime(1362692527.009765) -> <void>
+1362692527.009765   MetaHookPre   DrainEvents()
+1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
+1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
+1362692527.009765 | HookDrainEvents
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280], (200, 100, 199)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, <null>, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, <null>, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::write, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]<nil><nil><nil><nil>, (%s, Files::LOG)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]<nil><nil><nil><nil>, (%s, HTTP::LOG)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split1, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split1, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split_n, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/, T, 4)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(split_n, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(to_lower, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]Files::LOG{[2] = LOG,[1] = Files}{[1] = Files}Files, (Files)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(to_lower, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]HTTP::LOG{[2] = LOG,[1] = HTTP}{[1] = HTTP}HTTP, (HTTP)) -> <null>
+1362692527.009775   MetaHookPost  DrainEvents() -> <void>
+1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
+1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280], (200, 100, 199))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, <null>, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, <null>, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]<nil><nil><nil><nil>, (%s, Files::LOG))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]<nil><nil><nil><nil>, (%s, HTTP::LOG))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009775   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009775   MetaHookPre   CallFunction(split1, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/))
+1362692527.009775   MetaHookPre   CallFunction(split1, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.009775   MetaHookPre   CallFunction(split_n, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/, T, 4))
+1362692527.009775   MetaHookPre   CallFunction(split_n, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4))
+1362692527.009775   MetaHookPre   CallFunction(to_lower, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]Files::LOG{[2] = LOG,[1] = Files}{[1] = Files}Files, (Files))
+1362692527.009775   MetaHookPre   CallFunction(to_lower, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]HTTP::LOG{[2] = LOG,[1] = HTTP}{[1] = HTTP}HTTP, (HTTP))
+1362692527.009775   MetaHookPre   DrainEvents()
+1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
+1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
+1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
+1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
+1362692527.009775 | HookCallFunction Log::default_path_func(Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::default_path_func(HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
+1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
+1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction fmt(%s, Files::LOG)
+1362692527.009775 | HookCallFunction fmt(%s, HTTP::LOG)
+1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
+1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
+1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009775 | HookCallFunction split1(Files::LOG, <...>/)
+1362692527.009775 | HookCallFunction split1(HTTP::LOG, <...>/)
+1362692527.009775 | HookCallFunction split_n(Files, <...>/, T, 4)
+1362692527.009775 | HookCallFunction split_n(HTTP, <...>/, T, 4)
+1362692527.009775 | HookCallFunction to_lower(Files)
+1362692527.009775 | HookCallFunction to_lower(HTTP)
+1362692527.009775 | HookDrainEvents
+1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
+1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009855   MetaHookPost  DrainEvents() -> <void>
+1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
+1362692527.009855   MetaHookPre   DrainEvents()
+1362692527.009855   MetaHookPre   UpdateNetworkTime(1362692527.009855)
+1362692527.009855  | HookUpdateNetworkTime 1362692527.009855
+1362692527.009855 | HookDrainEvents
+1362692527.009887   MetaHookPost  DrainEvents() -> <void>
+1362692527.009887   MetaHookPost  UpdateNetworkTime(1362692527.009887) -> <void>
+1362692527.009887   MetaHookPre   DrainEvents()
+1362692527.009887   MetaHookPre   UpdateNetworkTime(1362692527.009887)
+1362692527.009887  | HookUpdateNetworkTime 1362692527.009887
+1362692527.009887 | HookDrainEvents
+1362692527.011846   MetaHookPost  DrainEvents() -> <void>
+1362692527.011846   MetaHookPost  UpdateNetworkTime(1362692527.011846) -> <void>
+1362692527.011846   MetaHookPre   DrainEvents()
+1362692527.011846   MetaHookPre   UpdateNetworkTime(1362692527.011846)
+1362692527.011846  | HookUpdateNetworkTime 1362692527.011846
+1362692527.011846 | HookDrainEvents
+1362692527.080828   MetaHookPost  DrainEvents() -> <void>
+1362692527.080828   MetaHookPost  UpdateNetworkTime(1362692527.080828) -> <void>
+1362692527.080828   MetaHookPre   DrainEvents()
+1362692527.080828   MetaHookPre   UpdateNetworkTime(1362692527.080828)
+1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
+1362692527.080828 | HookDrainEvents
+1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::__write, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, <null>, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(fmt, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]<nil><nil><nil><nil>, (%s, Conn::LOG)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(net_done, <null>, (1362692527.080972)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(reading_traces, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]<nil>, ()) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(split1, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(split_n, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(sub_bytes, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTP, (HTTP, 0, 1)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(to_lower, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]Conn::LOG{[2] = LOG,[1] = Conn}{[1] = Conn}Conn, (Conn)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(to_lower, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTPHTTP, (HTTP)) -> <null>
+1362692527.080972   MetaHookPost  DrainEvents() -> <void>
+1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
+1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
+1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
+1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
+1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(Log::__write, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, <null>, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(fmt, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]<nil><nil><nil><nil>, (%s, Conn::LOG))
+1362692527.080972   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(net_done, <null>, (1362692527.080972))
+1362692527.080972   MetaHookPre   CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ())
+1362692527.080972   MetaHookPre   CallFunction(reading_traces, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]<nil>, ())
+1362692527.080972   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.080972   MetaHookPre   CallFunction(split1, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.080972   MetaHookPre   CallFunction(split_n, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4))
+1362692527.080972   MetaHookPre   CallFunction(sub_bytes, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTP, (HTTP, 0, 1))
+1362692527.080972   MetaHookPre   CallFunction(to_lower, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]Conn::LOG{[2] = LOG,[1] = Conn}{[1] = Conn}Conn, (Conn))
+1362692527.080972   MetaHookPre   CallFunction(to_lower, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTPHTTP, (HTTP))
+1362692527.080972   MetaHookPre   DrainEvents()
+1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
+1362692527.080972   MetaHookPre   QueueEvent(bro_done())
+1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
+1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
+1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
+1362692527.080972 | HookCallFunction ChecksumOffloading::check()
+1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
+1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Log::default_path_func(Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction bro_done()
+1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction filter_change_tracking()
+1362692527.080972 | HookCallFunction fmt(%s, Conn::LOG)
+1362692527.080972 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
+1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_port_transport_proto(80/tcp)
+1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
+1362692527.080972 | HookCallFunction is_tcp_port(59856/tcp)
+1362692527.080972 | HookCallFunction net_done(1362692527.080972)
+1362692527.080972 | HookCallFunction net_stats()
+1362692527.080972 | HookCallFunction reading_traces()
+1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.080972 | HookCallFunction split1(Conn::LOG, <...>/)
+1362692527.080972 | HookCallFunction split_n(Conn, <...>/, T, 4)
+1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1)
+1362692527.080972 | HookCallFunction to_lower(Conn)
+1362692527.080972 | HookCallFunction to_lower(HTTP)
+1362692527.080972 | HookDrainEvents
+1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
+1362692527.080972 | HookQueueEvent bro_done()
+1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookQueueEvent filter_change_tracking()
+1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)

From 6055b56f5c8e6acba33be2efcb93b69a80961103 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Mon, 24 Nov 2014 14:28:17 -0500
Subject: [PATCH 008/109] Incremental

---
 src/Func.cc          | 98 ++++++++++++++++++++------------------------
 src/plugin/Plugin.cc | 54 ++++++++++++------------
 src/plugin/Plugin.h  | 84 ++++++++++++++++++-------------------
 3 files changed, 114 insertions(+), 122 deletions(-)

diff --git a/src/Func.cc b/src/Func.cc
index 409bdcae25..ccc5698b2c 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -249,38 +249,34 @@ TraversalCode Func::Traverse(TraversalCallback* cb) const
 
 ValWrapper* Func::HandlePluginResult(ValWrapper* plugin_result, val_list* args, function_flavor flavor) const
 	{
-    // We either have not received a plugin result, or the plugin result hasn't been processed (read: fall into ::Call method)
-    if(!plugin_result)
-        return NULL;
+	// We either have not received a plugin result, or the plugin result hasn't been processed (read: fall into ::Call method)
+	if(!plugin_result)
+		return NULL;
 
-    if(!plugin_result->processed)
-        {
-        if(plugin_result->value)
-            {
-            Unref(plugin_result->value);
-            plugin_result->value = NULL;
-            }
-        delete plugin_result;
-        return NULL;
-        }
+	if(!plugin_result->processed)
+		{
+		if(plugin_result->value)
+			{
+			Unref(plugin_result->value);
+			plugin_result->value = NULL;
+			}
+		delete plugin_result;
+		return NULL;
+		}
 
 	switch ( flavor ) {
 	case FUNC_FLAVOR_EVENT:
-        if(plugin_result->value)
-            {
-            char sbuf[1024];
-            snprintf(sbuf, 1024, "plugin returned non-void result for event %s", this->Name());
-            reporter->InternalError(sbuf);
-            }
+		if(plugin_result->value)
+			{
+			reporter->InternalError("plugin returned non-void result for event %s", this->Name());
+			}
 		break;
 
 	case FUNC_FLAVOR_HOOK:
 		if ( plugin_result->value->Type()->Tag() != TYPE_BOOL )
-		    {
-            char sbuf[1024];
-            snprintf(sbuf, 1024, "plugin returned non-bool for hook %s", this->Name());
-        	reporter->InternalError(sbuf);
-            }
+			{
+			reporter->InternalError("plugin returned non-bool for hook %s", this->Name());
+			}
 		break;
 
 	case FUNC_FLAVOR_FUNCTION:
@@ -289,19 +285,15 @@ ValWrapper* Func::HandlePluginResult(ValWrapper* plugin_result, val_list* args,
 
 		if ( (! yt) || yt->Tag() == TYPE_VOID )
 			{
-            if(plugin_result && plugin_result->value)
-                {
-                char sbuf[1024];
-                snprintf(sbuf, 1024, "plugin returned non-void result for void method %s", this->Name());
-			    reporter->InternalError(sbuf);
-                }
-            }
+			if(plugin_result && plugin_result->value)
+				{
+				reporter->InternalError("plugin returned non-void result for void method %s", this->Name());
+				}
+			}
 		else if ( plugin_result->value && plugin_result->value->Type()->Tag() != yt->Tag() && yt->Tag() != TYPE_ANY)
 			{
-            char sbuf[1024];
-            snprintf(sbuf, 1024, "plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->value->Type()->Tag(), yt->Tag(), this->Name());
-			reporter->InternalError(sbuf);
-            }
+			reporter->InternalError("plugin returned wrong type (got %d, expecting %d) for %s", plugin_result->value->Type()->Tag(), yt->Tag(), this->Name());
+			}
 
 		break;
 		}
@@ -358,13 +350,13 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 
 	ValWrapper* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
 
-    plugin_result = HandlePluginResult(plugin_result, args, Flavor());
-    if(plugin_result)
-        {
-        Val *result = plugin_result->value;
-        delete plugin_result;
-        return result;
-        }
+	plugin_result = HandlePluginResult(plugin_result, args, Flavor());
+	if(plugin_result)
+		{
+		Val *result = plugin_result->value;
+		delete plugin_result;
+		return result;
+		}
 
 	if ( bodies.empty() )
 		{
@@ -455,11 +447,11 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 	// Warn if the function returns something, but we returned from
 	// the function without an explicit return, or without a value.
 	else if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID &&
-	     (flow != FLOW_RETURN /* we fell off the end */ ||
-	      ! result /* explicit return with no result */) &&
-	     ! f->HasDelayed() )
+		 (flow != FLOW_RETURN /* we fell off the end */ ||
+		  ! result /* explicit return with no result */) &&
+		 ! f->HasDelayed() )
 		reporter->Warning("non-void function returns without a value: %s",
-		                  Name());
+						  Name());
 
 	if ( result && g_trace_state.DoTrace() )
 		{
@@ -580,13 +572,13 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
 
 	ValWrapper* plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), 0);
 
-    plugin_result = HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
-    if(plugin_result)
-        {
-        Val *result = plugin_result->value;
-        delete plugin_result;
-        return result;
-        }
+	plugin_result = HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
+	if(plugin_result)
+		{
+		Val *result = plugin_result->value;
+		delete plugin_result;
+		return result;
+		}
 
 	if ( g_trace_state.DoTrace() )
 		{
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 1e98532ba6..9a571743af 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -83,12 +83,12 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
-    case FRAME:
-        if ( arg.frame )
-            arg.frame->Describe(d);
-        else
-            d->Add("<null>");
-        break;
+	case FRAME:
+		if ( arg.frame )
+			arg.frame->Describe(d);
+		else
+			d->Add("<null>");
+		break;
 
 	case FUNC:
 		if ( arg.func )
@@ -131,25 +131,25 @@ void HookArgument::Describe(ODesc* d) const
 	case VOIDP:
 		d->Add("<void ptr>");
 		break;
-    
-    case WRAPPED_VAL:
-        if ( arg.wrapper )
-            {
-            d->Add("wrapped(");
-            if(arg.wrapper->value)
-                {
-                arg.wrapper->value->Describe(d);
-                }
-            else
-                d->Add("<null>");
-            d->Add(")");
-            }
-        else
-            {
-            d->Add("<null>");
-            }
+	
+	case WRAPPED_VAL:
+		if ( arg.wrapper )
+			{
+			d->Add("wrapped(");
+			if(arg.wrapper->value)
+				{
+				arg.wrapper->value->Describe(d);
+				}
+			else
+				d->Add("<null>");
+			d->Add(")");
+			}
+		else
+			{
+			d->Add("<null>");
+			}
 
-        break;
+		break;
 
 	}
 	}
@@ -226,7 +226,7 @@ void Plugin::InitPostScript()
 
 Plugin::bif_item_list Plugin::BifItems() const
 	{
-    return bif_items;
+	return bif_items;
 	}
 
 void Plugin::Done()
@@ -399,7 +399,7 @@ void Plugin::Describe(ODesc* d) const
 			type = "<unknown>";
 		}
 
-		d->Add("    ");
+		d->Add("	");
 		d->Add("[");
 		d->Add(type);
 		d->Add("] ");
@@ -414,7 +414,7 @@ void Plugin::Describe(ODesc* d) const
 		HookType hook = (*i).first;
 		int prio = (*i).second;
 
-		d->Add("    Implements ");
+		d->Add("	Implements ");
 		d->Add(hook_name(hook));
 		d->Add(" (priority ");
 		d->Add(prio);
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 65acb37b7a..af47a5f4bf 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -34,24 +34,24 @@ class Plugin;
  * Plugins' function handlers return a result of this type.
  */
 struct ValWrapper {
-    Val* value;       //< value being wrapped by this object
-    bool processed;   //< true if execution should *STOP* (read: the plugin is replacing a method), and false if execution should *CONTINUE* (read: bro should execute a method)
+	Val* value;	   //< value being wrapped by this object
+	bool processed;   //< true if execution should *STOP* (read: the plugin is replacing a method), and false if execution should *CONTINUE* (read: bro should execute a method)
 
-    /**
-    Wrapper for a specific value.  If we're setting a value, we assume we've processed something.
-    
-    @param value value to be wrapped
-    */
-    ValWrapper(Val* value)
-    : value(value), processed(true) { }
+	/**
+	Wrapper for a specific value.  If we're setting a value, we assume we've processed something.
+	
+	@param value value to be wrapped
+	*/
+	ValWrapper(Val* value)
+	: value(value), processed(true) { }
 
-    /**
-    Wrapper for a specific value.  If we're setting 'processed', we assume there's a reason we're not setting a Val and set that to NULL.
-    
-    @param processed whether or not an execution of a function was handled by the plugin
-    */
-    ValWrapper(bool processed)
-    : value(NULL), processed(processed) { }
+	/**
+	Wrapper for a specific value.  If we're setting 'processed', we assume there's a reason we're not setting a Val and set that to NULL.
+	
+	@param processed whether or not an execution of a function was handled by the plugin
+	*/
+	ValWrapper(bool processed)
+	: value(NULL), processed(processed) { }
 };
 
 /**
@@ -237,15 +237,15 @@ public:
 	 */
 	HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
 
-    /**
-     * Constructor with a ValWrapper argument.
-     */
-    HookArgument(ValWrapper* a)   { type = WRAPPED_VAL; arg.wrapper = a; }
+	/**
+	 * Constructor with a ValWrapper argument.
+	 */
+	HookArgument(ValWrapper* a)   { type = WRAPPED_VAL; arg.wrapper = a; }
 
-    /**
-     * Constructor with a Frame argument.
-     */
-    HookArgument(Frame* f)    { type = FRAME; arg.frame = f; }
+	/**
+	 * Constructor with a Frame argument.
+	 */
+	HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
 
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
@@ -289,17 +289,17 @@ public:
 	 */
 	const Val* AsVal() const	{ assert(type == VAL); return arg.val; }
 
-    /**
-     * Returns the value for a Bro wrapped value argument.  The argument's type must
-     * match accordingly.
-     */
-    const ValWrapper* AsValWrapper() const { assert(type == VAL_WRAPPER); return arg.wrapper; }
+	/**
+	 * Returns the value for a Bro wrapped value argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const ValWrapper* AsValWrapper() const { assert(type == VAL_WRAPPER); return arg.wrapper; }
 
-    /**
-     * Returns the value for a Bro frame argument.  The argument's type must
-     * match accordingly.
-     */
-    const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; }
+	/**
+	 * Returns the value for a Bro frame argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; }
 
 	/**
 	 * Returns the value for a list of Bro values argument. The argument's type must
@@ -332,10 +332,10 @@ private:
 		double double_;
 		const Event* event;
 		const Func* func;
-        const Frame* frame;
+		const Frame* frame;
 		int int_;
 		const Val* val;
-        const ValWrapper* wrapper;
+		const ValWrapper* wrapper;
 		const val_list* vals;
 		const void* voidp;
 	} arg;
@@ -564,7 +564,7 @@ protected:
 	 * actually has code to execute for it. By calling this method, the
 	 * plugin tells Bro to raise the event even if there's no correspondong
 	 * handler; it will then go into HookQueueEvent() just as any other.
-     *
+	 *
 	 * @param handler The event handler being interested in.
 	 */
 	void RequestEvent(EventHandlerPtr handler);
@@ -621,11 +621,11 @@ protected:
 	 * counting.
 	 *
 	 * @return If the plugin handled the call, a ValWrapper with the
-     * processed flag set to true, and a value set on the object with 
-     * a+1 reference count containing the result value to pass back to the 
-     * interpreter.  If the plugin did not handle the call, it may either
-     * return NULL *or* return a ValWrapper with the processed flag set to
-     * 'false'.
+	 * processed flag set to true, and a value set on the object with 
+	 * a+1 reference count containing the result value to pass back to the 
+	 * interpreter.  If the plugin did not handle the call, it may either
+	 * return NULL *or* return a ValWrapper with the processed flag set to
+	 * 'false'.
 	 */
 	virtual ValWrapper* HookCallFunction(const Func* func, Frame *parent, val_list* args);
 

From 616ed2257226cbbf2bf5d82d1625ed2f800a4510 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Mon, 24 Nov 2014 16:30:12 -0500
Subject: [PATCH 009/109] Small fixes

---
 src/plugin/Manager.cc | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index eb8681c1cd..1445ed9a63 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -331,7 +331,7 @@ void Manager::InitPreScript()
 	assert(! init);
 
 	for ( plugin_list::iterator i = Manager::ActivePluginsInternal()->begin();
-          i != Manager::ActivePluginsInternal()->end(); i++ )
+	      i != Manager::ActivePluginsInternal()->end(); i++ )
 		{
 		Plugin* plugin = *i;
 		plugin->DoConfigure();
@@ -346,7 +346,7 @@ void Manager::InitBifs()
 	bif_init_func_map* bifs = BifFilesInternal();
 
 	for ( plugin_list::iterator i = Manager::ActivePluginsInternal()->begin();
-          i != Manager::ActivePluginsInternal()->end(); i++ )
+	      i != Manager::ActivePluginsInternal()->end(); i++ )
 		{
 		bif_init_func_map::const_iterator b = bifs->find((*i)->Name());
 
@@ -363,7 +363,7 @@ void Manager::InitPostScript()
 	assert(init);
 
 	for ( plugin_list::iterator i = Manager::ActivePluginsInternal()->begin();
-          i != Manager::ActivePluginsInternal()->end(); i++ )
+	      i != Manager::ActivePluginsInternal()->end(); i++ )
 		(*i)->InitPostScript();
 	}
 
@@ -372,7 +372,7 @@ void Manager::FinishPlugins()
 	assert(init);
 
 	for ( plugin_list::iterator i = Manager::ActivePluginsInternal()->begin();
-          i != Manager::ActivePluginsInternal()->end(); i++ )
+	      i != Manager::ActivePluginsInternal()->end(); i++ )
 		(*i)->Done();
 
 	Manager::ActivePluginsInternal()->clear();
@@ -505,13 +505,13 @@ void Manager::DisableHook(HookType hook, Plugin* plugin)
 void Manager::RequestEvent(EventHandlerPtr handler, Plugin* plugin)
 	{
 	DBG_LOG(DBG_PLUGINS, "Plugin %s requested event %s",
-            plugin->Name().c_str(), handler->Name());
+	        plugin->Name().c_str(), handler->Name());
 	handler->SetGenerateAlways();
 	}
 
 void Manager::RequestBroObjDtor(BroObj* obj, Plugin* plugin)
 	{
-    obj->NotifyPluginsOnDtor();
+	obj->NotifyPluginsOnDtor();
 	}
 
 int Manager::HookLoadFile(const string& file)
@@ -566,14 +566,14 @@ std::pair<Val*, bool> Manager::HookCallFunction(const Func* func, Frame* parent,
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
 		args.push_back(HookArgument(func));
-        args.push_back(HookArgument(parent));
+	    args.push_back(HookArgument(parent));
 		args.push_back(HookArgument(vargs));
 		MetaHookPre(HOOK_CALL_FUNCTION, args);
 		}
 
 	hook_list* l = hooks[HOOK_CALL_FUNCTION];
 
-	std::pair<Val*, bool> v;
+	std::pair<Val*, bool> v = std::pair<Val*, bool>(NULL, false);
 
 	if ( l )
 		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
@@ -583,10 +583,10 @@ std::pair<Val*, bool> Manager::HookCallFunction(const Func* func, Frame* parent,
 			v = p->HookCallFunction(func, parent, vargs);
 
 			if ( v.second )
-                {
+	            {
 				break;
 			    }
-            }
+	        }
 
 	if ( HavePluginForHook(META_HOOK_POST) )
 		MetaHookPost(HOOK_CALL_FUNCTION, args, HookArgument(v));
@@ -674,7 +674,7 @@ void Manager::HookBroObjDtor(void* obj) const
 	{
 	HookArgumentList args;
 
-        if ( HavePluginForHook(META_HOOK_PRE) )
+	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
 		args.push_back(obj);
 		MetaHookPre(HOOK_BRO_OBJ_DTOR, args);

From cda7c93704ff3ea7201cd17af19759efdc9dd491 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Mon, 24 Nov 2014 16:35:26 -0500
Subject: [PATCH 010/109] More small fixes

---
 src/plugin/Manager.cc | 8 ++++----
 src/plugin/Plugin.cc  | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 1445ed9a63..c63c47dfd0 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -583,11 +583,11 @@ std::pair<Val*, bool> Manager::HookCallFunction(const Func* func, Frame* parent,
 			v = p->HookCallFunction(func, parent, vargs);
 
 			if ( v.second )
-	            {
+				{
 				break;
-			    }
-	        }
-
+				}
+			}
+	
 	if ( HavePluginForHook(META_HOOK_POST) )
 		MetaHookPost(HOOK_CALL_FUNCTION, args, HookArgument(v));
 
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index a54829d883..0c2d2dba40 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -293,7 +293,7 @@ int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
 
 std::pair<Val*, bool> Plugin::HookCallFunction(const Func* func, Frame *parent, val_list* args)
 	{
-    std::pair<Val*, bool> result(NULL, false);
+	std::pair<Val*, bool> result(NULL, false);
 	return result;
 	}
 

From 7120098ca2eef0449c383dbf57cc0a26b6303d11 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 8 Jan 2015 16:43:07 -0600
Subject: [PATCH 011/109] Add support for building/linking broker within bro

The new --enable-broker flag can be used to toggle the use of Broker,
which also implies building with -std=c++11, though nothing makes
use of these features at the moment.
---
 .gitmodules    |  3 +++
 CMakeLists.txt |  7 +++++++
 aux/broker     |  1 +
 cmake          |  2 +-
 configure      | 15 +++++++++++++++
 5 files changed, 27 insertions(+), 1 deletion(-)
 create mode 160000 aux/broker

diff --git a/.gitmodules b/.gitmodules
index 24375ce23d..91f39e3d04 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -22,3 +22,6 @@
 [submodule "aux/plugins"]
 	path = aux/plugins
 	url = git://git.bro.org/bro-plugins
+[submodule "aux/broker"]
+	path = aux/broker
+	url = git://git.bro.org/broker
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c0ff6c09d4..1f0fcf8d07 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -177,6 +177,12 @@ include_directories(${CMAKE_CURRENT_BINARY_DIR})
 ########################################################################
 ## Recurse on sub-directories
 
+if ( ENABLE_BROKER )
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
+    add_subdirectory(aux/broker)
+    set(brodeps ${brodeps} broker)
+endif ()
+
 add_subdirectory(src)
 add_subdirectory(scripts)
 add_subdirectory(doc)
@@ -224,6 +230,7 @@ message(
     "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
     "\nCPP:               ${CMAKE_CXX_COMPILER}"
     "\n"
+    "\nBroker:            ${ENABLE_BROKER}"
     "\nBroccoli:          ${INSTALL_BROCCOLI}"
     "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
diff --git a/aux/broker b/aux/broker
new file mode 160000
index 0000000000..a1b51def07
--- /dev/null
+++ b/aux/broker
@@ -0,0 +1 @@
+Subproject commit a1b51def07cfb191d0a83a78c7102560740dbcb3
diff --git a/cmake b/cmake
index 1316c07f70..c2057b7f15 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 1316c07f7059647b6c4a496ea36e4b83bb5d8f0f
+Subproject commit c2057b7f15dedc27641a50312384505ce4f2112c
diff --git a/configure b/configure
index 2b1c568b26..6235aba7dd 100755
--- a/configure
+++ b/configure
@@ -41,6 +41,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
     --enable-ruby          build ruby bindings for broccoli (deprecated)
+    --enable-broker        enable use of the Broker communication library
+                           (requires C++ Actor Framework and C++11)
     --disable-broccoli     don't build or install the Broccoli library
     --disable-broctl       don't install Broctl
     --disable-auxtools     don't build or install auxiliary tools
@@ -55,6 +57,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-perl=PATH       path to perl executable
+    --with-libcaf=PATH     path to C++ Actor Framework installation
+                           (a required Broker dependency)
 
   Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libGeoIP install root
@@ -67,6 +71,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-ruby-lib=PATH   path to ruby library
     --with-ruby-inc=PATH   path to ruby headers
     --with-swig=PATH       path to SWIG executable
+    --with-rocksdb=PATH    path to RocksDB installation
+                           (an optional Broker dependency)
 
   Packaging Options (for developers):
     --binary-package       toggle special logic for binary packaging
@@ -176,6 +182,9 @@ while [ $# -ne 0 ]; do
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
+        --enable-broker)
+            append_cache_entry ENABLE_BROKER        BOOL   true
+            ;;
         --disable-broccoli)
             append_cache_entry INSTALL_BROCCOLI     BOOL   false
             ;;
@@ -248,6 +257,12 @@ while [ $# -ne 0 ]; do
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
             ;;
+        --with-libcaf=*)
+            append_cache_entry LIBCAF_ROOT_DIR      PATH   $optarg
+            ;;
+        --with-rocksdb=*)
+            append_cache_entry ROCKSDB_ROOT_DIR     PATH   $optarg
+            ;;
         --binary-package)
             append_cache_entry BINARY_PACKAGING_MODE BOOL true
             ;;

From 1e8d6cd917d7d2a6f81c873d9113e6a18fb43df9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 13 Jan 2015 17:14:21 -0600
Subject: [PATCH 012/109] broker integration: add API for connecting to peers

---
 CMakeLists.txt          |   2 +
 aux/broker              |   2 +-
 src/CMakeLists.txt      |   4 ++
 src/comm/CMakeLists.txt |  15 ++++++
 src/comm/Manager.cc     | 115 ++++++++++++++++++++++++++++++++++++++++
 src/comm/Manager.h      |  52 ++++++++++++++++++
 src/comm/comm.bif       |  43 +++++++++++++++
 src/main.cc             |  22 ++++++++
 8 files changed, 254 insertions(+), 1 deletion(-)
 create mode 100644 src/comm/CMakeLists.txt
 create mode 100644 src/comm/Manager.cc
 create mode 100644 src/comm/Manager.h
 create mode 100644 src/comm/comm.bif

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1f0fcf8d07..b31e60ac01 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -181,6 +181,8 @@ if ( ENABLE_BROKER )
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
     add_subdirectory(aux/broker)
     set(brodeps ${brodeps} broker)
+    add_definitions(-DENABLE_BROKER)
+    include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/aux/broker)
 endif ()
 
 add_subdirectory(src)
diff --git a/aux/broker b/aux/broker
index a1b51def07..331966d1f3 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit a1b51def07cfb191d0a83a78c7102560740dbcb3
+Subproject commit 331966d1f3d24c63bedbda79e477f759c4d267f9
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 13c6e45006..55ca12c873 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -161,6 +161,10 @@ add_subdirectory(iosource)
 add_subdirectory(logging)
 add_subdirectory(probabilistic)
 
+if ( ENABLE_BROKER )
+    add_subdirectory(comm)
+endif ()
+
 set(bro_SUBDIRS
     # Order is important here.
     ${bro_PLUGIN_LIBS}
diff --git a/src/comm/CMakeLists.txt b/src/comm/CMakeLists.txt
new file mode 100644
index 0000000000..c152adc49a
--- /dev/null
+++ b/src/comm/CMakeLists.txt
@@ -0,0 +1,15 @@
+include(BroSubdir)
+
+include_directories(BEFORE
+                    ${CMAKE_CURRENT_SOURCE_DIR}
+                    ${CMAKE_CURRENT_BINARY_DIR}
+)
+
+set(comm_SRCS
+    Manager.cc
+)
+
+bif_target(comm.bif)
+
+bro_add_subdir_library(comm ${comm_SRCS} ${BIF_OUTPUT_CC})
+add_dependencies(bro_comm generate_outputs)
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
new file mode 100644
index 0000000000..ac67208ca6
--- /dev/null
+++ b/src/comm/Manager.cc
@@ -0,0 +1,115 @@
+#include "Manager.h"
+#include <broker/broker.hh>
+#include <cstdio>
+#include <unistd.h>
+#include "util.h"
+#include "Reporter.h"
+
+bool comm::Manager::InitPreScript()
+	{
+	auto res = broker::init();
+
+	if ( res )
+		{
+		fprintf(stderr, "broker::init failed: %s\n", broker::strerror(res));
+		return false;
+		}
+
+	char host[256];
+	const char* name;
+
+	if ( gethostname(host, sizeof(host)) == 0 )
+		name = fmt("bro@%s.%ld", host, static_cast<long>(getpid()));
+	else
+		name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
+
+	endpoint = std::unique_ptr<broker::endpoint>(new broker::endpoint(name));
+	return true;
+	}
+
+bool comm::Manager::InitPostScript()
+	{
+	return true;
+	}
+
+bool comm::Manager::Listen(uint16_t port, const char* addr)
+	{
+	auto rval = endpoint->listen(port, addr);
+
+	if ( ! rval )
+		{
+		reporter->Error("Failed to listen on %s:%" PRIu16 " : %s",
+		                addr ? addr : "INADDR_ANY", port,
+		                endpoint->last_error().data());
+		}
+
+	return rval;
+	}
+
+bool comm::Manager::Connect(string addr, uint16_t port,
+                            std::chrono::duration<double> retry_interval)
+	{
+	auto& peer = peers[std::make_pair(addr, port)];
+
+	if ( peer )
+		return false;
+
+	peer = endpoint->peer(std::move(addr), port, retry_interval);
+	return true;
+	}
+
+bool comm::Manager::Disconnect(const string& addr, uint16_t port)
+	{
+	auto it = peers.find(std::make_pair(addr, port));
+
+	if ( it == peers.end() )
+		return false;
+
+	return endpoint->unpeer(it->second);
+	}
+
+void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+                           iosource::FD_Set* except)
+	{
+	read->Insert(endpoint->peer_status().fd());
+	}
+
+double comm::Manager::NextTimestamp(double* local_network_time)
+	{
+	// TODO: do something better?
+	return timer_mgr->Time();
+	}
+
+void comm::Manager::Process()
+	{
+	bool idle = true;
+	auto peer_status_updates = endpoint->peer_status().want_pop();
+
+	if ( ! peer_status_updates.empty() )
+		idle = false;
+
+	for ( auto& u : peer_status_updates )
+		{
+		if ( ! u.relation.remote() )
+			continue;
+
+		// TODO: generate events
+		switch ( u.status ) {
+		case broker::peer_status::tag::established:
+			printf("established\n");
+			break;
+		case broker::peer_status::tag::disconnected:
+			printf("disconnected\n");
+			break;
+		case broker::peer_status::tag::incompatible:
+			printf("incompatible\n");
+			break;
+		default:
+			reporter->InternalWarning("unknown broker::peer_status::tag : %d",
+			                          static_cast<int>(u.status));
+			break;
+		}
+		}
+
+	SetIdle(idle);
+	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
new file mode 100644
index 0000000000..412c125d14
--- /dev/null
+++ b/src/comm/Manager.h
@@ -0,0 +1,52 @@
+#ifndef BRO_COMM_MANAGER_H
+#define BRO_COMM_MANAGER_H
+
+#include <broker/endpoint.hh>
+#include <memory>
+#include <string>
+#include <map>
+#include "Reporter.h"
+#include "iosource/IOSource.h"
+
+namespace comm {
+
+// TODO: documentation
+
+// Manages various forms of communication between peer Bro processes
+// or possibly between different parts of a single Bro process.
+class Manager : public iosource::IOSource {
+public:
+
+	bool InitPreScript();
+
+	bool InitPostScript();
+
+	bool Listen(uint16_t port, const char* addr = nullptr);
+
+	bool Connect(std::string addr, uint16_t port,
+	             std::chrono::duration<double> retry_interval);
+
+	bool Disconnect(const std::string& addr, uint16_t port);
+
+private:
+
+	// IOSource interface overrides:
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	            iosource::FD_Set* except) override;
+
+	double NextTimestamp(double* local_network_time) override;
+
+	void Process() override;
+
+	const char* Tag() override
+		{ return "Comm::Manager"; }
+
+	std::unique_ptr<broker::endpoint> endpoint;
+	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
+};
+
+} // namespace comm
+
+extern comm::Manager* comm_mgr;
+
+#endif // BRO_COMM_MANAGER_H
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
new file mode 100644
index 0000000000..ce54b916ca
--- /dev/null
+++ b/src/comm/comm.bif
@@ -0,0 +1,43 @@
+
+module Comm;
+
+%%{
+#include "comm/Manager.h"
+%%}
+
+function Comm::listen%(p: port, a: string &default=""%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("listen port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::connect%(a: string, p: port, retry: interval%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("remote connection port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Connect(a->CheckString(), p->Port(),
+	                              std::chrono::duration<double>(retry));
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::disconnect%(a: string, p: port%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("remote connection port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
+	return new Val(rval, TYPE_BOOL);
+	%}
diff --git a/src/main.cc b/src/main.cc
index 15aea3d3fe..a7099cb90b 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -63,6 +63,10 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 
 #include "3rdparty/sqlite3.h"
 
+#ifdef ENABLE_BROKER
+#include <comm/Manager.h>
+#endif
+
 Brofiler brofiler;
 
 #ifndef HAVE_STRSEP
@@ -94,6 +98,9 @@ analyzer::Manager* analyzer_mgr = 0;
 file_analysis::Manager* file_mgr = 0;
 broxygen::Manager* broxygen_mgr = 0;
 iosource::Manager* iosource_mgr = 0;
+#ifdef ENABLE_BROKER
+comm::Manager* comm_mgr = 0;
+#endif
 Stmt* stmts;
 EventHandlerPtr net_done = 0;
 RuleMatcher* rule_matcher = 0;
@@ -851,6 +858,16 @@ int main(int argc, char** argv)
 	input_mgr = new input::Manager();
 	file_mgr = new file_analysis::Manager();
 
+#ifdef ENABLE_BROKER
+	comm_mgr = new comm::Manager();
+
+	if ( ! comm_mgr->InitPreScript() )
+		{
+		fprintf(stderr, "Failed to initialize communication manager.");
+		exit(1);
+		}
+#endif
+
 	plugin_mgr->InitPreScript();
 	analyzer_mgr->InitPreScript();
 	file_mgr->InitPreScript();
@@ -925,6 +942,11 @@ int main(int argc, char** argv)
 		exit(rc);
 		}
 
+#ifdef ENABLE_BROKER
+	comm_mgr->InitPostScript();
+	iosource_mgr->Register(comm_mgr);
+#endif
+
 #ifdef USE_PERFTOOLS_DEBUG
 	}
 #endif

From 0daa954ddbff2bdb991b3ade0312a7fcf03b76aa Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 14 Jan 2015 10:40:11 -0600
Subject: [PATCH 013/109] broker integration: add remote connection status
 events.

---
 scripts/base/frameworks/comm/__load__.bro |  1 +
 scripts/base/frameworks/comm/main.bro     |  7 +++
 scripts/base/init-bare.bro                |  1 +
 src/comm/Manager.cc                       | 62 ++++++++++++++++++-----
 src/comm/comm.bif                         |  8 +++
 5 files changed, 66 insertions(+), 13 deletions(-)
 create mode 100644 scripts/base/frameworks/comm/__load__.bro
 create mode 100644 scripts/base/frameworks/comm/main.bro

diff --git a/scripts/base/frameworks/comm/__load__.bro b/scripts/base/frameworks/comm/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/frameworks/comm/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
new file mode 100644
index 0000000000..af4225f5dd
--- /dev/null
+++ b/scripts/base/frameworks/comm/main.bro
@@ -0,0 +1,7 @@
+
+module Comm;
+
+export {
+
+	const endpoint_name = "" &redef;
+}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 4a1bcfbe72..9d790e1e09 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3358,6 +3358,7 @@ const bits_per_uid: count = 96 &redef;
 
 # Load these frameworks here because they use fairly deep integration with
 # BiFs and script-land defined types.
+@load base/frameworks/comm
 @load base/frameworks/logging
 @load base/frameworks/input
 @load base/frameworks/analyzer
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index ac67208ca6..29ff71d7e0 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -3,9 +3,16 @@
 #include <cstdio>
 #include <unistd.h>
 #include "util.h"
+#include "Var.h"
 #include "Reporter.h"
+#include "comm/comm.bif.h"
 
 bool comm::Manager::InitPreScript()
+	{
+	return true;
+	}
+
+bool comm::Manager::InitPostScript()
 	{
 	auto res = broker::init();
 
@@ -15,23 +22,25 @@ bool comm::Manager::InitPreScript()
 		return false;
 		}
 
-	char host[256];
 	const char* name;
+	auto name_from_script = internal_val("Comm::endpoint_name")->AsString();
 
-	if ( gethostname(host, sizeof(host)) == 0 )
-		name = fmt("bro@%s.%ld", host, static_cast<long>(getpid()));
+	if ( name_from_script->Len() )
+		name = name_from_script->CheckString();
 	else
-		name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
+		{
+		char host[256];
+
+		if ( gethostname(host, sizeof(host)) == 0 )
+			name = fmt("bro@%s.%ld", host, static_cast<long>(getpid()));
+		else
+			name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
+		}
 
 	endpoint = std::unique_ptr<broker::endpoint>(new broker::endpoint(name));
 	return true;
 	}
 
-bool comm::Manager::InitPostScript()
-	{
-	return true;
-	}
-
 bool comm::Manager::Listen(uint16_t port, const char* addr)
 	{
 	auto rval = endpoint->listen(port, addr);
@@ -93,17 +102,44 @@ void comm::Manager::Process()
 		if ( ! u.relation.remote() )
 			continue;
 
-		// TODO: generate events
 		switch ( u.status ) {
 		case broker::peer_status::tag::established:
-			printf("established\n");
+			if ( Comm::remote_connection_established )
+				{
+				val_list* vl = new val_list;
+				vl->append(new StringVal(u.relation.remote_tuple().first));
+				vl->append(new PortVal(u.relation.remote_tuple().second,
+				                       TRANSPORT_TCP));
+				vl->append(new StringVal(u.peer_name));
+				mgr.QueueEvent(Comm::remote_connection_established, vl);
+				}
+
 			break;
+
 		case broker::peer_status::tag::disconnected:
-			printf("disconnected\n");
+			if ( Comm::remote_connection_broken )
+				{
+				val_list* vl = new val_list;
+				vl->append(new StringVal(u.relation.remote_tuple().first));
+				vl->append(new PortVal(u.relation.remote_tuple().second,
+				                       TRANSPORT_TCP));
+				mgr.QueueEvent(Comm::remote_connection_broken, vl);
+				}
+
 			break;
+
 		case broker::peer_status::tag::incompatible:
-			printf("incompatible\n");
+			if ( Comm::remote_connection_incompatible )
+				{
+				val_list* vl = new val_list;
+				vl->append(new StringVal(u.relation.remote_tuple().first));
+				vl->append(new PortVal(u.relation.remote_tuple().second,
+				                       TRANSPORT_TCP));
+				mgr.QueueEvent(Comm::remote_connection_incompatible, vl);
+				}
+
 			break;
+
 		default:
 			reporter->InternalWarning("unknown broker::peer_status::tag : %d",
 			                          static_cast<int>(u.status));
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index ce54b916ca..67933df20e 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -5,6 +5,14 @@ module Comm;
 #include "comm/Manager.h"
 %%}
 
+event Comm::remote_connection_established%(peer_address: string,
+                                           peer_port: port,
+                                           peer_name: string%);
+event Comm::remote_connection_broken%(peer_address: string,
+                                      peer_port: port%);
+event Comm::remote_connection_incompatible%(peer_address: string,
+                                            peer_port: port%);
+
 function Comm::listen%(p: port, a: string &default=""%): bool
 	%{
 	if ( ! p->IsTCP() )

From 1e462481dc2e3106431ac9cd71c4ea1644c7881b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 14 Jan 2015 13:28:34 -0600
Subject: [PATCH 014/109] broker integration: add remote printing

---
 aux/broker                            |   2 +-
 scripts/base/frameworks/comm/main.bro |   6 ++
 src/comm/Manager.cc                   | 116 ++++++++++++++++++++++++--
 src/comm/Manager.h                    |  14 ++++
 src/comm/comm.bif                     |  30 ++++++-
 5 files changed, 158 insertions(+), 10 deletions(-)

diff --git a/aux/broker b/aux/broker
index 331966d1f3..1e8d675790 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 331966d1f3d24c63bedbda79e477f759c4d267f9
+Subproject commit 1e8d6757909750524c15f8eaf3c297243bc55425
diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index af4225f5dd..c69d36db52 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -4,4 +4,10 @@ module Comm;
 export {
 
 	const endpoint_name = "" &redef;
+
+	type SendFlags: record {
+		self: bool &default = F;
+		peers: bool &default = T;
+		unsolicited: bool &default = F;
+	};
 }
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 29ff71d7e0..7027daa79e 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -7,13 +7,31 @@
 #include "Reporter.h"
 #include "comm/comm.bif.h"
 
+using namespace std;
+
 bool comm::Manager::InitPreScript()
 	{
 	return true;
 	}
 
+static int require_field(const RecordType* rt, const char* name)
+	{
+	auto rval = rt->FieldOffset(name);
+
+	if ( rval < 0 )
+		reporter->InternalError("no field named '%s' in record type '%s'", name,
+		                        rt->GetName().data());
+
+	return rval;
+	}
+
 bool comm::Manager::InitPostScript()
 	{
+	auto send_flags_type = internal_type("Comm::SendFlags")->AsRecordType();
+	send_flags_self_idx = require_field(send_flags_type, "self");
+	send_flags_peers_idx = require_field(send_flags_type, "peers");
+	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
+
 	auto res = broker::init();
 
 	if ( res )
@@ -37,7 +55,7 @@ bool comm::Manager::InitPostScript()
 			name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
 		}
 
-	endpoint = std::unique_ptr<broker::endpoint>(new broker::endpoint(name));
+	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name));
 	return true;
 	}
 
@@ -56,31 +74,81 @@ bool comm::Manager::Listen(uint16_t port, const char* addr)
 	}
 
 bool comm::Manager::Connect(string addr, uint16_t port,
-                            std::chrono::duration<double> retry_interval)
+                            chrono::duration<double> retry_interval)
 	{
-	auto& peer = peers[std::make_pair(addr, port)];
+	auto& peer = peers[make_pair(addr, port)];
 
 	if ( peer )
 		return false;
 
-	peer = endpoint->peer(std::move(addr), port, retry_interval);
+	peer = endpoint->peer(move(addr), port, retry_interval);
 	return true;
 	}
 
 bool comm::Manager::Disconnect(const string& addr, uint16_t port)
 	{
-	auto it = peers.find(std::make_pair(addr, port));
+	auto it = peers.find(make_pair(addr, port));
 
 	if ( it == peers.end() )
 		return false;
 
-	return endpoint->unpeer(it->second);
+	auto rval = endpoint->unpeer(it->second);
+	peers.erase(it);
+	return rval;
+	}
+
+bool comm::Manager::Print(string topic, string msg, const Val* flags)
+	{
+	endpoint->send(move(topic), broker::message{move(msg)}, get_flags(flags));
+	return true;
+	}
+
+bool comm::Manager::SubscribeToPrints(string topic_prefix)
+	{
+	auto& q = print_subscriptions[topic_prefix];
+
+	if ( q )
+		return false;
+
+	q = broker::message_queue(move(topic_prefix), *endpoint);
+	return true;
+	}
+
+bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix)
+	{
+	return print_subscriptions.erase(topic_prefix);
+	}
+
+int comm::Manager::get_flags(const Val* flags)
+	{
+	auto r = flags->AsRecordVal();
+	int rval = 0;
+	Val* self_flag = r->LookupWithDefault(send_flags_self_idx);
+	Val* peers_flag = r->LookupWithDefault(send_flags_peers_idx);
+	Val* unsolicited_flag = r->LookupWithDefault(send_flags_unsolicited_idx);
+
+	if ( self_flag->AsBool() )
+		rval |= broker::SELF;
+
+	if ( peers_flag->AsBool() )
+		rval |= broker::PEERS;
+
+	if ( unsolicited_flag->AsBool() )
+		rval |= broker::UNSOLICITED;
+
+	Unref(self_flag);
+	Unref(peers_flag);
+	Unref(unsolicited_flag);
+	return rval;
 	}
 
 void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
                            iosource::FD_Set* except)
 	{
 	read->Insert(endpoint->peer_status().fd());
+
+	for ( const auto& ps : print_subscriptions )
+		read->Insert(ps.second.fd());
 	}
 
 double comm::Manager::NextTimestamp(double* local_network_time)
@@ -147,5 +215,41 @@ void comm::Manager::Process()
 		}
 		}
 
+	for ( const auto& ps : print_subscriptions )
+		{
+		auto print_messages = ps.second.want_pop();
+
+		if ( print_messages.empty() )
+			continue;
+
+		idle = false;
+
+		if ( ! Comm::print_handler )
+			continue;
+
+		for ( auto& pm : print_messages )
+			{
+			if ( pm.size() != 1 )
+				{
+				reporter->Warning("got print message of invalid size: %zd",
+				                  pm.size());
+				continue;
+				}
+
+			std::string* msg = broker::get<std::string>(pm[0]);
+
+			if ( ! msg )
+				{
+				reporter->Warning("got print message of invalid type: %d",
+				                  static_cast<int>(broker::which(pm[0])));
+				continue;
+				}
+
+			val_list* vl = new val_list;
+			vl->append(new StringVal(move(*msg)));
+			mgr.QueueEvent(Comm::print_handler, vl);
+			}
+		}
+
 	SetIdle(idle);
 	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 412c125d14..0f7d5a4a1c 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -2,6 +2,7 @@
 #define BRO_COMM_MANAGER_H
 
 #include <broker/endpoint.hh>
+#include <broker/message_queue.hh>
 #include <memory>
 #include <string>
 #include <map>
@@ -28,8 +29,16 @@ public:
 
 	bool Disconnect(const std::string& addr, uint16_t port);
 
+	bool Print(std::string topic, std::string msg, const Val* flags);
+
+	bool SubscribeToPrints(std::string topic_prefix);
+
+	bool UnsubscribeToPrints(const std::string& topic_prefix);
+
 private:
 
+	int get_flags(const Val* flags);
+
 	// IOSource interface overrides:
 	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	            iosource::FD_Set* except) override;
@@ -43,6 +52,11 @@ private:
 
 	std::unique_ptr<broker::endpoint> endpoint;
 	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
+	std::map<std::string, broker::message_queue> print_subscriptions;
+
+	int send_flags_self_idx;
+	int send_flags_peers_idx;
+	int send_flags_unsolicited_idx;
 };
 
 } // namespace comm
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index 67933df20e..6294864bba 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -1,10 +1,12 @@
 
-module Comm;
-
 %%{
 #include "comm/Manager.h"
 %%}
 
+module Comm;
+
+type Comm::SendFlags: record;
+
 event Comm::remote_connection_established%(peer_address: string,
                                            peer_port: port,
                                            peer_name: string%);
@@ -13,7 +15,7 @@ event Comm::remote_connection_broken%(peer_address: string,
 event Comm::remote_connection_incompatible%(peer_address: string,
                                             peer_port: port%);
 
-function Comm::listen%(p: port, a: string &default=""%): bool
+function Comm::listen%(p: port, a: string &default = ""%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -49,3 +51,25 @@ function Comm::disconnect%(a: string, p: port%): bool
 	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
 	return new Val(rval, TYPE_BOOL);
 	%}
+
+event Comm::print_handler%(msg: string%);
+
+function Comm::print%(topic: string, msg: string,
+                      flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = comm_mgr->Print(topic->CheckString(), msg->CheckString(),
+	                            flags);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::subscribe_to_prints%(topic_prefix: string &default = ""%): bool
+	%{
+	auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::unsubscribe_to_prints%(topic_prefix: string &default = ""%): bool
+	%{
+	auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}

From 7e563b7275394dcb72d44c288cdb5bd96f4dffb9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 15 Jan 2015 15:45:08 -0600
Subject: [PATCH 015/109] broker integration: add remote events

---
 scripts/base/frameworks/comm/main.bro |   9 +
 src/comm/CMakeLists.txt               |   1 +
 src/comm/Data.cc                      | 533 ++++++++++++++++++++++++++
 src/comm/Data.h                       |  29 ++
 src/comm/Manager.cc                   | 177 +++++++++
 src/comm/Manager.h                    |  11 +
 src/comm/comm.bif                     |  42 +-
 7 files changed, 800 insertions(+), 2 deletions(-)
 create mode 100644 src/comm/Data.cc
 create mode 100644 src/comm/Data.h

diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index c69d36db52..efe3069a1c 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -10,4 +10,13 @@ export {
 		peers: bool &default = T;
 		unsolicited: bool &default = F;
 	};
+
+	type Data: record {
+		d: opaque of Comm::Data &optional;
+	};
+
+	type EventArgs: record {
+		name: string &optional;  # nil for invalid event/args.
+		args: vector of Comm::Data;
+	};
 }
diff --git a/src/comm/CMakeLists.txt b/src/comm/CMakeLists.txt
index c152adc49a..95ad701d71 100644
--- a/src/comm/CMakeLists.txt
+++ b/src/comm/CMakeLists.txt
@@ -6,6 +6,7 @@ include_directories(BEFORE
 )
 
 set(comm_SRCS
+    Data.cc
     Manager.cc
 )
 
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
new file mode 100644
index 0000000000..58d5b30085
--- /dev/null
+++ b/src/comm/Data.cc
@@ -0,0 +1,533 @@
+#include "Data.h"
+#include "comm/comm.bif.h"
+
+using namespace std;
+
+OpaqueType* comm::opaque_of_data_type;
+
+static broker::port::protocol to_broker_port_proto(TransportProto tp)
+	{
+	switch ( tp ) {
+	case TRANSPORT_TCP:
+		return broker::port::protocol::tcp;
+	case TRANSPORT_UDP:
+		return broker::port::protocol::udp;
+	case TRANSPORT_ICMP:
+		return broker::port::protocol::icmp;
+	case TRANSPORT_UNKNOWN:
+	default:
+		return broker::port::protocol::unknown;
+	}
+	}
+
+static TransportProto to_bro_port_proto(broker::port::protocol tp)
+	{
+	switch ( tp ) {
+	case broker::port::protocol::tcp:
+		return TRANSPORT_TCP;
+	case broker::port::protocol::udp:
+		return TRANSPORT_UDP;
+	case broker::port::protocol::icmp:
+		return TRANSPORT_ICMP;
+	case broker::port::protocol::unknown:
+	default:
+		return TRANSPORT_UNKNOWN;
+	}
+	}
+
+struct val_converter {
+	using result_type = Val*;
+
+	BroType* type;
+
+	result_type operator()(bool a)
+		{
+		if ( type->Tag() == TYPE_BOOL )
+			return new Val(a, TYPE_BOOL);
+		return nullptr;
+		}
+
+	result_type operator()(uint64_t a)
+		{
+		if ( type->Tag() == TYPE_COUNT )
+			return new Val(a, TYPE_COUNT);
+		if ( type->Tag() == TYPE_COUNTER )
+			return new Val(a, TYPE_COUNTER);
+		return nullptr;
+		}
+
+	result_type operator()(int64_t a)
+		{
+		if ( type->Tag() == TYPE_INT )
+			return new Val(a, TYPE_INT);
+		return nullptr;
+		}
+
+	result_type operator()(double a)
+		{
+		if ( type->Tag() == TYPE_DOUBLE )
+			return new Val(a, TYPE_DOUBLE);
+		return nullptr;
+		}
+
+	result_type operator()(const std::string& a)
+		{
+		switch ( type->Tag() ) {
+		case TYPE_STRING:
+			return new StringVal(a.size(), a.data());
+		case TYPE_FILE:
+			{
+			auto file = BroFile::GetFile(a.data());
+
+			if ( file )
+				{
+				Ref(file);
+				return new Val(file);
+				}
+
+			return nullptr;
+			}
+		case TYPE_FUNC:
+			{
+			auto id = lookup_ID(a.data(), GLOBAL_MODULE_NAME);
+			auto rval = id ? id->ID_Val() : nullptr;
+			Unref(id);
+
+			if ( rval && rval->Type()->Tag() == TYPE_FUNC )
+				return rval;
+
+			return nullptr;
+			}
+		default:
+			return nullptr;
+		}
+		}
+
+	result_type operator()(const broker::address& a)
+		{
+		if ( type->Tag() == TYPE_ADDR )
+			{
+			auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
+			return new AddrVal(IPAddr(*bits));
+			}
+
+		return nullptr;
+		}
+
+	result_type operator()(const broker::subnet& a)
+		{
+		if ( type->Tag() == TYPE_SUBNET )
+			{
+			auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes());
+			return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
+			}
+
+		return nullptr;
+		}
+
+	result_type operator()(const broker::port& a)
+		{
+		if ( type->Tag() == TYPE_PORT )
+			return new PortVal(a.number(), to_bro_port_proto(a.type()));
+
+		return nullptr;
+		}
+
+	result_type operator()(const broker::time_point& a)
+		{
+		if ( type->Tag() == TYPE_TIME )
+			return new Val(a.value, TYPE_TIME);
+
+		return nullptr;
+		}
+
+	result_type operator()(const broker::time_duration& a)
+		{
+		if ( type->Tag() == TYPE_INTERVAL )
+			return new Val(a.value, TYPE_INTERVAL);
+
+		return nullptr;
+		}
+
+	result_type operator()(const broker::enum_value& a)
+		{
+		if ( type->Tag() == TYPE_ENUM )
+			{
+			auto etype = type->AsEnumType();
+			auto i = etype->Lookup(GLOBAL_MODULE_NAME, a.name.data());
+
+			if ( i == -1 )
+				return nullptr;
+
+			return new EnumVal(i, etype);
+			}
+
+		return nullptr;
+		}
+
+	result_type operator()(broker::set& a)
+		{
+		if ( ! type->IsSet() )
+			return nullptr;
+
+		auto tt = type->AsTableType();
+		auto rval = new TableVal(tt);
+
+		for ( auto& item : a )
+			{
+			auto indices = broker::get<broker::vector>(item);
+
+			if ( ! indices )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
+			auto expected_index_types = tt->Indices()->Types();
+
+			if ( expected_index_types->length() != indices->size() )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
+			auto list_val = new ListVal(TYPE_ANY);
+
+			for ( auto i = 0u; i < indices->size(); ++i )
+				{
+				auto index_val = comm::data_to_val(move((*indices)[i]),
+				                                   (*expected_index_types)[i]);
+
+				if ( ! index_val )
+					{
+					Unref(rval);
+					Unref(list_val);
+					return nullptr;
+					}
+
+				list_val->Append(index_val);
+				}
+
+
+			rval->Assign(list_val, nullptr);
+			Unref(list_val);
+			}
+
+		return rval;
+		}
+
+	result_type operator()(broker::table& a)
+		{
+		if ( ! type->IsTable() )
+			return nullptr;
+
+		auto tt = type->AsTableType();
+		auto rval = new TableVal(tt);
+
+		for ( auto& item : a )
+			{
+			auto indices = broker::get<broker::vector>(item.first);
+
+			if ( ! indices )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
+			auto expected_index_types = tt->Indices()->Types();
+
+			if ( expected_index_types->length() != indices->size() )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
+			auto list_val = new ListVal(TYPE_ANY);
+
+			for ( auto i = 0u; i < indices->size(); ++i )
+				{
+				auto index_val = comm::data_to_val(move((*indices)[i]),
+				                                   (*expected_index_types)[i]);
+
+				if ( ! index_val )
+					{
+					Unref(rval);
+					Unref(list_val);
+					return nullptr;
+					}
+
+				list_val->Append(index_val);
+				}
+
+			auto value_val = comm::data_to_val(move(item.second),
+			                                   tt->YieldType());
+
+			if ( ! value_val )
+				{
+				Unref(rval);
+				Unref(list_val);
+				return nullptr;
+				}
+
+			rval->Assign(list_val, value_val);
+			Unref(list_val);
+			}
+
+		return rval;
+		}
+
+	result_type operator()(broker::vector& a)
+		{
+		if ( type->Tag() != TYPE_VECTOR )
+			return nullptr;
+
+		auto vt = type->AsVectorType();
+		auto rval = new VectorVal(vt);
+
+		for ( auto& item : a )
+			{
+			auto item_val = comm::data_to_val(move(item), vt->YieldType());
+
+			if ( ! item_val )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
+			rval->Assign(rval->Size(), item_val);
+			}
+
+		return rval;
+		}
+
+	result_type operator()(broker::record& a)
+		{
+		if ( type->Tag() != TYPE_RECORD )
+			return nullptr;
+
+		auto rt = type->AsRecordType();
+
+		if ( a.fields.size() != rt->NumFields() )
+			return nullptr;
+
+		auto rval = new RecordVal(rt);
+
+		for ( auto i = 0u; i < a.fields.size(); ++i )
+			{
+			if ( ! a.fields[i] )
+				{
+				rval->Assign(i, nullptr);
+				continue;
+				}
+
+			auto item_val = comm::data_to_val(move(*a.fields[i]),
+			                                  rt->FieldType(i));
+
+			if ( ! item_val )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
+			rval->Assign(i, item_val);
+			}
+
+		return nullptr;
+		}
+};
+
+Val* comm::data_to_val(broker::data d, BroType* type)
+	{
+	return broker::visit(val_converter{type}, d);
+	}
+
+broker::util::optional<broker::data> comm::val_to_data(const Val* v)
+	{
+	switch ( v->Type()->Tag() ) {
+	case TYPE_BOOL:
+		return {v->AsBool()};
+	case TYPE_INT:
+		return {v->AsInt()};
+	case TYPE_COUNT:
+		return {v->AsCount()};
+	case TYPE_COUNTER:
+		return {v->AsCounter()};
+	case TYPE_PORT:
+		{
+		auto p = v->AsPortVal();
+		return {broker::port(p->Port(), to_broker_port_proto(p->PortType()))};
+		}
+	case TYPE_ADDR:
+		{
+		auto a = v->AsAddr();
+		in6_addr tmp;
+		a.CopyIPv6(&tmp);
+		return {broker::address(reinterpret_cast<const uint32_t*>(&tmp),
+			                    broker::address::family::ipv6,
+			                    broker::address::byte_order::network)};
+		}
+		break;
+	case TYPE_SUBNET:
+		{
+		auto s = v->AsSubNet();
+		in6_addr tmp;
+		s.Prefix().CopyIPv6(&tmp);
+		auto a = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
+		                         broker::address::family::ipv6,
+		                         broker::address::byte_order::network);
+		return {broker::subnet(a, s.Length())};
+		}
+		break;
+	case TYPE_DOUBLE:
+		return {v->AsDouble()};
+	case TYPE_TIME:
+		return {broker::time_point(v->AsTime())};
+	case TYPE_INTERVAL:
+		return {broker::time_duration(v->AsInterval())};
+	case TYPE_ENUM:
+		{
+		auto enum_type = v->Type()->AsEnumType();
+		auto enum_name = enum_type->Lookup(v->AsEnum());
+		return {broker::enum_value(enum_name ? "<unknown enum>" : enum_name)};
+		}
+	case TYPE_STRING:
+		{
+		auto s = v->AsString();
+		return {string(reinterpret_cast<const char*>(s->Bytes()), s->Len())};
+		}
+	case TYPE_FILE:
+		return {string(v->AsFile()->Name())};
+	case TYPE_FUNC:
+		return {string(v->AsFunc()->Name())};
+	case TYPE_TABLE:
+		{
+		auto is_set = v->Type()->IsSet();
+		auto table = v->AsTable();
+		auto table_val = v->AsTableVal();
+		auto c = table->InitForIteration();
+		broker::data rval;
+
+		if ( is_set )
+			rval = broker::set();
+		else
+			rval = broker::table();
+
+		struct iter_guard {
+			iter_guard(HashKey* arg_k, ListVal* arg_lv)
+			    : k(arg_k), lv(arg_lv)
+				{}
+
+			~iter_guard()
+				{
+				delete k;
+				Unref(lv);
+				}
+
+			HashKey* k;
+			ListVal* lv;
+		};
+
+		for ( auto i = 0; i < table->Length(); ++i )
+			{
+			HashKey* k;
+			auto entry = table->NextEntry(k, c);
+			auto vl = table_val->RecoverIndex(k);
+			iter_guard ig(k, vl);
+			broker::vector key;
+
+			for ( auto k = 0; k < vl->Length(); ++k )
+				{
+				auto key_part = val_to_data((*vl->Vals())[k]);
+
+				if ( ! key_part )
+					return {};
+
+				key.emplace_back(move(*key_part));
+				}
+
+			if ( is_set )
+				broker::get<broker::set>(rval)->emplace(move(key));
+			else
+				{
+				auto val = val_to_data(entry->Value());
+
+				if ( ! val )
+					return {};
+
+				broker::get<broker::table>(rval)->emplace(move(key),
+				                                          move(*val));
+				}
+			}
+
+		return {rval};
+		}
+	case TYPE_VECTOR:
+		{
+		auto vec = v->AsVectorVal();
+		broker::vector rval;
+		rval.reserve(vec->Size());
+
+		for ( auto i = 0u; i < vec->Size(); ++i )
+			{
+			auto item_val = vec->Lookup(i);
+
+			if ( ! item_val )
+				continue;
+
+			auto item = val_to_data(item_val);
+
+			if ( ! item )
+				return {};
+
+			rval.emplace_back(move(*item));
+			}
+
+		return {rval};
+		}
+	case TYPE_RECORD:
+		{
+		auto rec = v->AsRecordVal();
+		broker::record rval;
+		auto num_fields = v->Type()->AsRecordType()->NumFields();
+		rval.fields.reserve(num_fields);
+
+		for ( auto i = 0u; i < num_fields; ++i )
+			{
+			auto item_val = rec->LookupWithDefault(i);
+
+			if ( ! item_val )
+				{
+				rval.fields.emplace_back(broker::record::field{});
+				continue;
+				}
+
+			auto item = val_to_data(item_val);
+			Unref(item_val);
+
+			if ( ! item )
+				return {};
+
+			rval.fields.emplace_back(broker::record::field{move(*item)});
+			}
+
+		return {rval};
+		}
+	default:
+		reporter->Error("unsupported Comm::Data type: %s",
+		                type_name(v->Type()->Tag()));
+		break;
+	}
+
+	return {};
+	}
+
+RecordVal* comm::make_data_val(const Val* v)
+	{
+	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	auto data = val_to_data(v);
+
+	if ( data )
+		rval->Assign(0, new DataVal(move(*data)));
+
+	return rval;
+	}
diff --git a/src/comm/Data.h b/src/comm/Data.h
new file mode 100644
index 0000000000..e3197b61da
--- /dev/null
+++ b/src/comm/Data.h
@@ -0,0 +1,29 @@
+#ifndef BRO_COMM_DATA_H
+#define BRO_COMM_DATA_H
+
+#include <broker/data.hh>
+#include "Val.h"
+
+namespace comm {
+
+extern OpaqueType* opaque_of_data_type;
+
+RecordVal* make_data_val(const Val* v);
+
+broker::util::optional<broker::data> val_to_data(const Val* v);
+
+Val* data_to_val(broker::data d, BroType* type);
+
+class DataVal : public OpaqueVal {
+public:
+
+	DataVal(broker::data arg_data)
+		: OpaqueVal(comm::opaque_of_data_type), data(std::move(arg_data))
+		{}
+
+	broker::data data;
+};
+
+} // namespace comm
+
+#endif // BRO_COMM_DATA_H
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 7027daa79e..b4f118706a 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -1,4 +1,5 @@
 #include "Manager.h"
+#include "Data.h"
 #include <broker/broker.hh>
 #include <cstdio>
 #include <unistd.h>
@@ -32,6 +33,9 @@ bool comm::Manager::InitPostScript()
 	send_flags_peers_idx = require_field(send_flags_type, "peers");
 	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
 
+	comm::opaque_of_data_type = new OpaqueType("Comm::Data");
+	vector_of_data_type = new VectorType(internal_type("Comm::Data")->Ref());
+
 	auto res = broker::init();
 
 	if ( res )
@@ -103,6 +107,96 @@ bool comm::Manager::Print(string topic, string msg, const Val* flags)
 	return true;
 	}
 
+bool comm::Manager::Event(std::string topic, const RecordVal* args,
+                          const Val* flags)
+	{
+	if ( ! args->Lookup(0) )
+		return false;
+
+	auto event_name = args->Lookup(0)->AsString()->CheckString();
+	auto vv = args->Lookup(1)->AsVectorVal();
+	broker::message msg;
+	msg.reserve(vv->Size() + 1);
+	msg.emplace_back(event_name);
+
+	for ( auto i = 0u; i < vv->Size(); ++i )
+		{
+		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
+		auto data_val = dynamic_cast<DataVal*>(val);
+		msg.emplace_back(data_val->data);
+		}
+
+	endpoint->send(move(topic), move(msg), get_flags(flags));
+	return true;
+	}
+
+RecordVal* comm::Manager::MakeEventArgs(const val_list* args)
+	{
+	auto rval = new RecordVal(BifType::Record::Comm::EventArgs);
+	auto arg_vec = new VectorVal(vector_of_data_type);
+	rval->Assign(1, arg_vec);
+	const Func* func;
+
+	for ( auto i = 0u; i < args->length(); ++i )
+		{
+		auto arg_val = (*args)[i];
+
+		if ( i == 0 )
+			{
+			// Event val must come first.
+
+			if ( arg_val->Type()->Tag() != TYPE_FUNC )
+				{
+				reporter->Error("1st param of Comm::event_args must be event");
+				return rval;
+				}
+
+			func = arg_val->AsFunc();
+
+			if ( func->Flavor() != FUNC_FLAVOR_EVENT )
+				{
+				reporter->Error("1st param of Comm::event_args must be event");
+				return rval;
+				}
+
+			auto num_args = func->FType()->Args()->NumFields();
+
+			if ( num_args != args->length() - 1 )
+				{
+				reporter->Error("bad # of Comm::event_args: got %d, expect %d",
+				                args->length(), num_args + 1);
+				return rval;
+				}
+
+			rval->Assign(0, new StringVal(func->Name()));
+			continue;
+			}
+
+		auto expected_type = (*func->FType()->ArgTypes()->Types())[i - 1];
+
+		if ( ! same_type((*args)[i]->Type(), expected_type) )
+			{
+			rval->Assign(0, 0);
+			reporter->Error("Comm::event_args param %d type mismatch", i);
+			return rval;
+			}
+
+		auto data_val = make_data_val((*args)[i]);
+
+		if ( ! data_val->Lookup(0) )
+			{
+			Unref(data_val);
+			rval->Assign(0, 0);
+			reporter->Error("Comm::event_args unsupported event/params");
+			return rval;
+			}
+
+		arg_vec->Assign(i - 1, data_val);
+		}
+
+	return rval;
+	}
+
 bool comm::Manager::SubscribeToPrints(string topic_prefix)
 	{
 	auto& q = print_subscriptions[topic_prefix];
@@ -119,6 +213,22 @@ bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix)
 	return print_subscriptions.erase(topic_prefix);
 	}
 
+bool comm::Manager::SubscribeToEvents(string topic_prefix)
+	{
+	auto& q = event_subscriptions[topic_prefix];
+
+	if ( q )
+		return false;
+
+	q = broker::message_queue(move(topic_prefix), *endpoint);
+	return true;
+	}
+
+bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix)
+	{
+	return event_subscriptions.erase(topic_prefix);
+	}
+
 int comm::Manager::get_flags(const Val* flags)
 	{
 	auto r = flags->AsRecordVal();
@@ -149,6 +259,9 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 
 	for ( const auto& ps : print_subscriptions )
 		read->Insert(ps.second.fd());
+
+	for ( const auto& ps : event_subscriptions )
+		read->Insert(ps.second.fd());
 	}
 
 double comm::Manager::NextTimestamp(double* local_network_time)
@@ -251,5 +364,69 @@ void comm::Manager::Process()
 			}
 		}
 
+	for ( const auto& es : event_subscriptions )
+		{
+		auto event_messages = es.second.want_pop();
+
+		if ( event_messages.empty() )
+			continue;
+
+		idle = false;
+
+		for ( auto& em : event_messages )
+			{
+			if ( em.empty() )
+				{
+				reporter->Warning("got empty event message");
+				continue;
+				}
+
+			std::string* event_name = broker::get<std::string>(em[0]);
+
+			if ( ! event_name )
+				{
+				reporter->Warning("got event message w/o event name: %d",
+				                  static_cast<int>(broker::which(em[0])));
+				continue;
+				}
+
+			EventHandlerPtr ehp = event_registry->Lookup(event_name->data());
+
+			if ( ! ehp )
+				continue;
+
+			auto arg_types = ehp->FType()->ArgTypes()->Types();
+
+			if ( arg_types->length() != em.size() - 1 )
+				{
+				reporter->Warning("got event message with invalid # of args,"
+				                  " got %zd, expected %d", em.size() - 1,
+				                  arg_types->length());
+				continue;
+				}
+
+			val_list* vl = new val_list;
+
+			for ( auto i = 1u; i < em.size(); ++i )
+				{
+				auto val = data_to_val(move(em[i]), (*arg_types)[i - 1]);
+
+				if ( val )
+					vl->append(val);
+				else
+					{
+					reporter->Warning("failed to convert remote event arg # %d",
+					                  i - 1);
+					break;
+					}
+				}
+
+			if ( vl->length() == em.size() - 1 )
+				mgr.QueueEvent(ehp, vl);
+			else
+				delete_vals(vl);
+			}
+		}
+
 	SetIdle(idle);
 	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 0f7d5a4a1c..020f78a03b 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -31,10 +31,18 @@ public:
 
 	bool Print(std::string topic, std::string msg, const Val* flags);
 
+	bool Event(std::string topic, const RecordVal* args, const Val* flags);
+
+	RecordVal* MakeEventArgs(const val_list* args);
+
 	bool SubscribeToPrints(std::string topic_prefix);
 
 	bool UnsubscribeToPrints(const std::string& topic_prefix);
 
+	bool SubscribeToEvents(std::string topic_prefix);
+
+	bool UnsubscribeToEvents(const std::string& topic_prefix);
+
 private:
 
 	int get_flags(const Val* flags);
@@ -53,10 +61,13 @@ private:
 	std::unique_ptr<broker::endpoint> endpoint;
 	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
 	std::map<std::string, broker::message_queue> print_subscriptions;
+	std::map<std::string, broker::message_queue> event_subscriptions;
 
 	int send_flags_self_idx;
 	int send_flags_peers_idx;
 	int send_flags_unsolicited_idx;
+
+	VectorType* vector_of_data_type;
 };
 
 } // namespace comm
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index 6294864bba..fe405222cc 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -1,17 +1,29 @@
 
 %%{
 #include "comm/Manager.h"
+#include "comm/Data.h"
 %%}
 
 module Comm;
 
 type Comm::SendFlags: record;
 
+type Comm::Data: record;
+
+type Comm::EventArgs: record;
+
+function Comm::data%(d: any%): Comm::Data
+	%{
+	return comm::make_data_val(d);
+	%}
+
 event Comm::remote_connection_established%(peer_address: string,
                                            peer_port: port,
                                            peer_name: string%);
+
 event Comm::remote_connection_broken%(peer_address: string,
                                       peer_port: port%);
+
 event Comm::remote_connection_incompatible%(peer_address: string,
                                             peer_port: port%);
 
@@ -62,14 +74,40 @@ function Comm::print%(topic: string, msg: string,
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Comm::subscribe_to_prints%(topic_prefix: string &default = ""%): bool
+function Comm::subscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Comm::unsubscribe_to_prints%(topic_prefix: string &default = ""%): bool
+function Comm::unsubscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
+
+function Comm::event_args%(...%): Comm::EventArgs
+	%{
+	auto rval = comm_mgr->MakeEventArgs(@ARGS@);
+	return rval;
+	%}
+
+function Comm::event%(topic: string, args: Comm::EventArgs,
+                      flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = comm_mgr->Event(topic->CheckString(), args->AsRecordVal(),
+	                            flags);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::subscribe_to_events%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}

From 5df71ddc911a87234371121146e8d382efde9192 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 22 Jan 2015 11:29:53 -0600
Subject: [PATCH 016/109] broker integration: add auto sending remote events

i.e. ability to toggle whether all local dispatches of an event also
generate a remote event message to peers.
---
 src/EventHandler.cc | 50 +++++++++++++++++++++++++++++++++-
 src/EventHandler.h  | 19 ++++++++++++-
 src/comm/Manager.cc | 65 +++++++++++++++++++++++++++++++++++++++++++++
 src/comm/Manager.h  |  5 ++++
 src/comm/comm.bif   | 13 +++++++++
 5 files changed, 150 insertions(+), 2 deletions(-)

diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 0f25d63ba8..d623f43b66 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -5,6 +5,11 @@
 #include "RemoteSerializer.h"
 #include "NetVar.h"
 
+#ifdef ENABLE_BROKER
+#include "comm/Manager.h"
+#include "comm/Data.h"
+#endif
+
 EventHandler::EventHandler(const char* arg_name)
 	{
 	name = copy_string(arg_name);
@@ -26,7 +31,12 @@ EventHandler::operator bool() const
 	{
 	return enabled && ((local && local->HasBodies())
 			   || receivers.length()
-			   || generate_always);
+			   || generate_always
+#ifdef ENABLE_BROKER
+			   || ! auto_remote_send.empty()
+	           // TODO: and require a subscriber interested in a topic or unsolicited flags?
+#endif
+	                   );
 	}
 
 FuncType* EventHandler::FType()
@@ -73,6 +83,44 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 			SerialInfo info(remote_serializer);
 			remote_serializer->SendCall(&info, receivers[i], name, vl);
 			}
+
+#ifdef ENABLE_BROKER
+
+		if ( ! auto_remote_send.empty() )
+			{
+			// TODO: also short-circuit based on interested subscribers/flags?
+			broker::message msg;
+			msg.reserve(vl->length() + 1);
+			msg.emplace_back(Name());
+			bool valid_args = true;
+
+			for ( auto i = 0u; i < vl->length(); ++i )
+				{
+				auto opt_data = comm::val_to_data((*vl)[i]);
+
+				if ( opt_data )
+					msg.emplace_back(move(*opt_data));
+				else
+					{
+					valid_args = false;
+					auto_remote_send.clear();
+					reporter->Error("failed auto-remote event '%s', disabled",
+					                Name());
+					break;
+					}
+				}
+
+			if ( valid_args )
+				for ( auto it = auto_remote_send.begin();
+				      it != auto_remote_send.end(); ++it )
+					{
+					if ( std::next(it) == auto_remote_send.end() )
+						comm_mgr->Event(it->first, move(msg), it->second);
+					else
+						comm_mgr->Event(it->first, msg, it->second);
+					}
+			}
+#endif
 		}
 
 	if ( local )
diff --git a/src/EventHandler.h b/src/EventHandler.h
index 55ac33cffd..7729e2af27 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -4,7 +4,8 @@
 #define EVENTHANDLER
 
 #include <assert.h>
-
+#include <map>
+#include <string>
 #include "List.h"
 #include "BroList.h"
 
@@ -28,6 +29,18 @@ public:
 	void AddRemoteHandler(SourceID peer);
 	void RemoveRemoteHandler(SourceID peer);
 
+#ifdef ENABLE_BROKER
+	void AutoRemote(std::string topic, int flags)
+		{
+		auto_remote_send[std::move(topic)] = flags;
+		}
+
+	void AutoRemoteStop(const std::string& topic)
+		{
+		auto_remote_send.erase(topic);
+		}
+#endif
+
 	void Call(val_list* vl, bool no_remote = false);
 
 	// Returns true if there is at least one local or remote handler.
@@ -67,6 +80,10 @@ private:
 	declare(List, SourceID);
 	typedef List(SourceID) receiver_list;
 	receiver_list receivers;
+
+#ifdef ENABLE_BROKER
+	std::map<std::string, int> auto_remote_send; // topic -> flags
+#endif
 };
 
 // Encapsulates a ptr to an event handler to overload the boolean operator.
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index b4f118706a..d803d64ae7 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -107,6 +107,12 @@ bool comm::Manager::Print(string topic, string msg, const Val* flags)
 	return true;
 	}
 
+bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
+	{
+	endpoint->send(move(topic), move(msg), flags);
+	return true;
+	}
+
 bool comm::Manager::Event(std::string topic, const RecordVal* args,
                           const Val* flags)
 	{
@@ -130,6 +136,65 @@ bool comm::Manager::Event(std::string topic, const RecordVal* args,
 	return true;
 	}
 
+bool comm::Manager::AutoEvent(string topic, const Val* event, const Val* flags)
+	{
+	if ( event->Type()->Tag() != TYPE_FUNC )
+		{
+		reporter->Error("Comm::auto_event must operate on an event");
+		return false;
+		}
+
+	auto event_val = event->AsFunc();
+
+	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
+		{
+		reporter->Error("Comm::auto_event must operate on an event");
+		return false;
+		}
+
+	auto handler = event_registry->Lookup(event_val->Name());
+
+	if ( ! handler )
+		{
+		reporter->Error("Comm::auto_event failed to lookup event '%s'",
+		                event_val->Name());
+		return false;
+		}
+
+	handler->AutoRemote(move(topic), get_flags(flags));
+	return true;
+	}
+
+bool comm::Manager::AutoEventStop(const string& topic, const Val* event)
+	{
+	if ( event->Type()->Tag() != TYPE_FUNC )
+		{
+		reporter->Error("Comm::auto_event_stop must operate on an event");
+		return false;
+		}
+
+	auto event_val = event->AsFunc();
+
+	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
+		{
+		reporter->Error("Comm::auto_event_stop must operate on an event");
+		return false;
+		}
+
+	auto handler = event_registry->Lookup(event_val->Name());
+
+	if ( ! handler )
+		{
+		reporter->Error("Comm::auto_event_stop failed to lookup event '%s'",
+		                event_val->Name());
+		return false;
+		}
+
+
+	handler->AutoRemoteStop(topic);
+	return true;
+	}
+
 RecordVal* comm::Manager::MakeEventArgs(const val_list* args)
 	{
 	auto rval = new RecordVal(BifType::Record::Comm::EventArgs);
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 020f78a03b..70bec51ded 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -31,8 +31,13 @@ public:
 
 	bool Print(std::string topic, std::string msg, const Val* flags);
 
+	bool Event(std::string topic, broker::message msg, int flags);
 	bool Event(std::string topic, const RecordVal* args, const Val* flags);
 
+	bool AutoEvent(std::string topic, const Val* event, const Val* flags);
+
+	bool AutoEventStop(const std::string& topic, const Val* event);
+
 	RecordVal* MakeEventArgs(const val_list* args);
 
 	bool SubscribeToPrints(std::string topic_prefix);
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index fe405222cc..c185120126 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -100,6 +100,19 @@ function Comm::event%(topic: string, args: Comm::EventArgs,
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+function Comm::auto_event%(topic: string, ev: any,
+                           flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = comm_mgr->AutoEvent(topic->CheckString(), ev, flags);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::auto_event_stop%(topic: string, ev: any%): bool
+	%{
+	auto rval = comm_mgr->AutoEventStop(topic->CheckString(), ev);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
 function Comm::subscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString());

From 2b598e3d5a582b61ab43d43d52134a95e7e45336 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 26 Jan 2015 14:24:42 -0600
Subject: [PATCH 017/109] broker integration: add remote logging

It now works a bit differently than before: whether to send a remote log
write is now a property of the logging stream, not the logging filter
and it's now up the the receiver side filters to instantiate the desired
writer.  i.e. the sender now has no say in what the receiver should use
as the log writer backend.

Under the new style of remote logging, the "Log::enable_remote_logging"
option is repurposed to set the default behavior for new logging
streams.  There's also "Comm::{enable,disable}_remote_logging()" to
explicitly set the desired behavior for a given logging stream.  To
receive remote logs, one calls "Comm::subscribe_to_logs(<topic>)", where
senders implicitly use topics of the form "bro/log/<stream id>".
---
 aux/broker             |   2 +-
 src/comm/Data.cc       |   2 +-
 src/comm/Manager.cc    | 137 +++++++++++++++++++++++++++++++++++++++--
 src/comm/Manager.h     |  21 +++++--
 src/comm/comm.bif      |  34 ++++++++++
 src/logging/Manager.cc |  66 ++++++++++++++++++++
 src/logging/Manager.h  |  10 +++
 7 files changed, 260 insertions(+), 12 deletions(-)

diff --git a/aux/broker b/aux/broker
index 1e8d675790..425bab3bf4 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 1e8d6757909750524c15f8eaf3c297243bc55425
+Subproject commit 425bab3bf420898d8dbd14280f94aee9d420f617
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index 58d5b30085..b279b97529 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -332,7 +332,7 @@ struct val_converter {
 			rval->Assign(i, item_val);
 			}
 
-		return nullptr;
+		return rval;
 		}
 };
 
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index d803d64ae7..ffe68970a8 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -7,9 +7,16 @@
 #include "Var.h"
 #include "Reporter.h"
 #include "comm/comm.bif.h"
+#include "logging/Manager.h"
 
 using namespace std;
 
+VectorType* comm::Manager::vector_of_data_type;
+EnumType* comm::Manager::log_id_type;
+int comm::Manager::send_flags_self_idx;
+int comm::Manager::send_flags_peers_idx;
+int comm::Manager::send_flags_unsolicited_idx;
+
 bool comm::Manager::InitPreScript()
 	{
 	return true;
@@ -33,6 +40,8 @@ bool comm::Manager::InitPostScript()
 	send_flags_peers_idx = require_field(send_flags_type, "peers");
 	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
 
+	log_id_type = internal_type("Log::ID")->AsEnumType();
+
 	comm::opaque_of_data_type = new OpaqueType("Comm::Data");
 	vector_of_data_type = new VectorType(internal_type("Comm::Data")->Ref());
 
@@ -103,7 +112,7 @@ bool comm::Manager::Disconnect(const string& addr, uint16_t port)
 
 bool comm::Manager::Print(string topic, string msg, const Val* flags)
 	{
-	endpoint->send(move(topic), broker::message{move(msg)}, get_flags(flags));
+	endpoint->send(move(topic), broker::message{move(msg)}, GetFlags(flags));
 	return true;
 	}
 
@@ -113,6 +122,34 @@ bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
 	return true;
 	}
 
+bool comm::Manager::Log(const EnumVal* stream, const RecordVal* columns,
+                        int flags)
+	{
+	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
+
+	if ( ! stream_name )
+		{
+		reporter->Error("Failed to remotely log: stream %d doesn't have name",
+		                stream->AsEnum());
+		return false;
+		}
+
+	auto opt_column_data = val_to_data(columns);
+
+	if ( ! opt_column_data )
+		{
+		reporter->Error("Failed to remotely log stream %s: unsupported types",
+		                stream_name);
+		return false;
+		}
+
+	broker::message msg{broker::enum_value{stream_name},
+		                move(*opt_column_data)};
+	std::string topic = std::string("bro/log/") + stream_name;
+	endpoint->send(move(topic), move(msg), flags);
+	return true;
+	}
+
 bool comm::Manager::Event(std::string topic, const RecordVal* args,
                           const Val* flags)
 	{
@@ -132,7 +169,7 @@ bool comm::Manager::Event(std::string topic, const RecordVal* args,
 		msg.emplace_back(data_val->data);
 		}
 
-	endpoint->send(move(topic), move(msg), get_flags(flags));
+	endpoint->send(move(topic), move(msg), GetFlags(flags));
 	return true;
 	}
 
@@ -161,7 +198,7 @@ bool comm::Manager::AutoEvent(string topic, const Val* event, const Val* flags)
 		return false;
 		}
 
-	handler->AutoRemote(move(topic), get_flags(flags));
+	handler->AutoRemote(move(topic), GetFlags(flags));
 	return true;
 	}
 
@@ -294,7 +331,23 @@ bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix)
 	return event_subscriptions.erase(topic_prefix);
 	}
 
-int comm::Manager::get_flags(const Val* flags)
+bool comm::Manager::SubscribeToLogs(string topic_prefix)
+	{
+	auto& q = log_subscriptions[topic_prefix];
+
+	if ( q )
+		return false;
+
+	q = broker::message_queue(move(topic_prefix), *endpoint);
+	return true;
+	}
+
+bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix)
+	{
+	return log_subscriptions.erase(topic_prefix);
+	}
+
+int comm::Manager::GetFlags(const Val* flags)
 	{
 	auto r = flags->AsRecordVal();
 	int rval = 0;
@@ -327,6 +380,9 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 
 	for ( const auto& ps : event_subscriptions )
 		read->Insert(ps.second.fd());
+
+	for ( const auto& ps : log_subscriptions )
+		read->Insert(ps.second.fd());
 	}
 
 double comm::Manager::NextTimestamp(double* local_network_time)
@@ -493,5 +549,78 @@ void comm::Manager::Process()
 			}
 		}
 
+	struct unref_guard {
+		unref_guard(Val* v) : val(v) {}
+		~unref_guard() { Unref(val); }
+		Val* val;
+	};
+
+	for ( const auto& ls : log_subscriptions )
+		{
+		auto log_messages = ls.second.want_pop();
+
+		if ( log_messages.empty() )
+			continue;
+
+		idle = false;
+
+		for ( auto& lm : log_messages )
+			{
+			if ( lm.size() != 2 )
+				{
+				reporter->Warning("got bad remote log size: %zd (expect 2)",
+				                  lm.size());
+				continue;
+				}
+
+			if ( ! broker::get<broker::enum_value>(lm[0]) )
+				{
+				reporter->Warning("got remote log w/o stream id: %d",
+				                  static_cast<int>(broker::which(lm[0])));
+				continue;
+				}
+
+			if ( ! broker::get<broker::record>(lm[1]) )
+				{
+				reporter->Warning("got remote log w/o columns: %d",
+				                  static_cast<int>(broker::which(lm[1])));
+				continue;
+				}
+
+			auto stream_id = data_to_val(move(lm[0]), log_id_type);
+
+			if ( ! stream_id )
+				{
+				reporter->Warning("failed to unpack remote log stream id");
+				continue;
+				}
+
+			unref_guard stream_id_unreffer{stream_id};
+			auto columns_type = log_mgr->StreamColumns(stream_id->AsEnumVal());
+
+			if ( ! columns_type )
+				{
+				reporter->Warning("got remote log for unknown stream: %s",
+				                  stream_id->Type()->AsEnumType()->Lookup(
+				                      stream_id->AsEnum()));
+				continue;
+				}
+
+			auto columns = data_to_val(move(lm[1]), columns_type);
+
+			if ( ! columns )
+				{
+				reporter->Warning("failed to unpack remote log stream columns"
+				                  " for stream: %s",
+				                  stream_id->Type()->AsEnumType()->Lookup(
+				                      stream_id->AsEnum()));
+				continue;
+				}
+
+			log_mgr->Write(stream_id->AsEnumVal(), columns->AsRecordVal());
+			Unref(columns);
+			}
+		}
+
 	SetIdle(idle);
 	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 70bec51ded..3c1e80827b 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -8,6 +8,7 @@
 #include <map>
 #include "Reporter.h"
 #include "iosource/IOSource.h"
+#include "Val.h"
 
 namespace comm {
 
@@ -34,6 +35,8 @@ public:
 	bool Event(std::string topic, broker::message msg, int flags);
 	bool Event(std::string topic, const RecordVal* args, const Val* flags);
 
+	bool Log(const EnumVal* stream_id, const RecordVal* columns, int flags);
+
 	bool AutoEvent(std::string topic, const Val* event, const Val* flags);
 
 	bool AutoEventStop(const std::string& topic, const Val* event);
@@ -48,9 +51,13 @@ public:
 
 	bool UnsubscribeToEvents(const std::string& topic_prefix);
 
-private:
+	bool SubscribeToLogs(std::string topic_prefix);
 
-	int get_flags(const Val* flags);
+	bool UnsubscribeToLogs(const std::string& topic_prefix);
+
+	static int GetFlags(const Val* flags);
+
+private:
 
 	// IOSource interface overrides:
 	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
@@ -67,12 +74,14 @@ private:
 	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
 	std::map<std::string, broker::message_queue> print_subscriptions;
 	std::map<std::string, broker::message_queue> event_subscriptions;
+	std::map<std::string, broker::message_queue> log_subscriptions;
 
-	int send_flags_self_idx;
-	int send_flags_peers_idx;
-	int send_flags_unsolicited_idx;
+	static VectorType* vector_of_data_type;
+	static EnumType* log_id_type;
+	static int send_flags_self_idx;
+	static int send_flags_peers_idx;
+	static int send_flags_unsolicited_idx;
 
-	VectorType* vector_of_data_type;
 };
 
 } // namespace comm
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index c185120126..e1c2bc533f 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -2,6 +2,7 @@
 %%{
 #include "comm/Manager.h"
 #include "comm/Data.h"
+#include "logging/Manager.h"
 %%}
 
 module Comm;
@@ -124,3 +125,36 @@ function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
 	auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
+
+function
+Comm::enable_remote_logs%(id: Log::ID,
+                          flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
+										  comm::Manager::GetFlags(flags));
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::disable_remote_logs%(id: Log::ID%): bool
+	%{
+	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::remote_logs_enabled%(id: Log::ID%): bool
+	%{
+	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::subscribe_to_logs%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->SubscribeToLogs(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::unsubscribe_to_logs%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 1fe5db3b26..d6d7fbb908 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -16,6 +16,10 @@
 #include "WriterBackend.h"
 #include "logging.bif.h"
 
+#ifdef ENABLE_BROKER
+#include "comm/Manager.h"
+#endif
+
 using namespace logging;
 
 struct Manager::Filter {
@@ -69,6 +73,11 @@ struct Manager::Stream {
 
 	WriterMap writers;	// Writers indexed by id/path pair.
 
+#ifdef ENABLE_BROKER
+	bool enable_remote;
+	int remote_flags;
+#endif
+
 	~Stream();
 	};
 
@@ -287,6 +296,11 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 	streams[idx]->event = event ? event_registry->Lookup(event->Name()) : 0;
 	streams[idx]->columns = columns->Ref()->AsRecordType();
 
+#ifdef ENABLE_BROKER
+	streams[idx]->enable_remote = internal_val("Log::enable_remote_logging")->AsBool();
+	streams[idx]->remote_flags = broker::PEERS;
+#endif
+
 	DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",
 		streams[idx]->name.c_str(), event ? streams[idx]->event->Name() : "<none>");
 
@@ -828,6 +842,11 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 #endif
 		}
 
+#ifdef ENABLE_BROKER
+	if ( stream->enable_remote )
+		comm_mgr->Log(id, columns, stream->remote_flags);
+#endif
+
 	Unref(columns);
 
 	if ( error )
@@ -1206,6 +1225,53 @@ void Manager::Terminate()
 		}
 	}
 
+#ifdef ENABLE_BROKER
+
+bool Manager::EnableRemoteLogs(EnumVal* stream_id, int flags)
+	{
+	auto stream = FindStream(stream_id);
+
+	if ( ! stream )
+		return false;
+
+	stream->enable_remote = true;
+	stream->remote_flags = flags;
+	return true;
+	}
+
+bool Manager::DisableRemoteLogs(EnumVal* stream_id)
+	{
+	auto stream = FindStream(stream_id);
+
+	if ( ! stream )
+		return false;
+
+	stream->enable_remote = false;
+	return true;
+	}
+
+bool Manager::RemoteLogsAreEnabled(EnumVal* stream_id)
+	{
+	auto stream = FindStream(stream_id);
+
+	if ( ! stream )
+		return false;
+
+	return stream->enable_remote;
+	}
+
+RecordType* Manager::StreamColumns(EnumVal* stream_id)
+	{
+	auto stream = FindStream(stream_id);
+
+	if ( ! stream )
+		return nullptr;
+
+	return stream->columns;
+	}
+
+#endif
+
 // Timer which on dispatching rotates the filter.
 class RotationTimer : public Timer {
 public:
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index b8264927a3..8130a1ddd4 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -157,6 +157,16 @@ public:
 	 */
 	void Terminate();
 
+#ifdef ENABLE_BROKER
+	bool EnableRemoteLogs(EnumVal* stream_id, int flags);
+
+	bool DisableRemoteLogs(EnumVal* stream_id);
+
+	bool RemoteLogsAreEnabled(EnumVal* stream_id);
+
+	RecordType* StreamColumns(EnumVal* stream_id);
+#endif
+
 protected:
 	friend class WriterFrontend;
 	friend class RotationFinishedMessage;

From 55275436016f96e0fd77ffd1e921fd7a96fe1e0d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 26 Jan 2015 16:53:13 -0600
Subject: [PATCH 018/109] broker integration: add unit tests for remote
 log/print/event

---
 aux/broker                                    |   2 +-
 src/comm/Manager.cc                           |   4 +-
 src/comm/Manager.h                            |   3 +-
 src/comm/comm.bif                             |   6 +-
 src/main.cc                                   |   2 +-
 .../Baseline/comm.remote_event/recv.recv.out  |   6 ++
 .../Baseline/comm.remote_event/send.send.out  |  13 +++
 .../Baseline/comm.remote_log/recv.recv.out    |   6 ++
 .../Baseline/comm.remote_log/recv.test.log    |  15 +++
 .../Baseline/comm.remote_log/send.send.out    |   1 +
 .../Baseline/comm.remote_log/send.test.log    |  15 +++
 .../Baseline/comm.remote_print/recv.recv.out  |   6 ++
 .../Baseline/comm.remote_print/send.send.out  |   7 ++
 testing/btest/btest.cfg                       |   2 +-
 testing/btest/comm/remote_event.test          | 100 ++++++++++++++++++
 testing/btest/comm/remote_log.test            |  87 +++++++++++++++
 testing/btest/comm/remote_print.test          |  66 ++++++++++++
 17 files changed, 333 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/Baseline/comm.remote_event/recv.recv.out
 create mode 100644 testing/btest/Baseline/comm.remote_event/send.send.out
 create mode 100644 testing/btest/Baseline/comm.remote_log/recv.recv.out
 create mode 100644 testing/btest/Baseline/comm.remote_log/recv.test.log
 create mode 100644 testing/btest/Baseline/comm.remote_log/send.send.out
 create mode 100644 testing/btest/Baseline/comm.remote_log/send.test.log
 create mode 100644 testing/btest/Baseline/comm.remote_print/recv.recv.out
 create mode 100644 testing/btest/Baseline/comm.remote_print/send.send.out
 create mode 100644 testing/btest/comm/remote_event.test
 create mode 100644 testing/btest/comm/remote_log.test
 create mode 100644 testing/btest/comm/remote_print.test

diff --git a/aux/broker b/aux/broker
index 425bab3bf4..ebc66f484a 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 425bab3bf420898d8dbd14280f94aee9d420f617
+Subproject commit ebc66f484af27a32dc5d91b1c985638847e35cf6
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index ffe68970a8..bc0bc3f8a8 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -72,9 +72,9 @@ bool comm::Manager::InitPostScript()
 	return true;
 	}
 
-bool comm::Manager::Listen(uint16_t port, const char* addr)
+bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
 	{
-	auto rval = endpoint->listen(port, addr);
+	auto rval = endpoint->listen(port, addr, reuse_addr);
 
 	if ( ! rval )
 		{
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 3c1e80827b..5e3ec350b8 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -23,7 +23,8 @@ public:
 
 	bool InitPostScript();
 
-	bool Listen(uint16_t port, const char* addr = nullptr);
+	bool Listen(uint16_t port, const char* addr = nullptr,
+	            bool reuse_addr = true);
 
 	bool Connect(std::string addr, uint16_t port,
 	             std::chrono::duration<double> retry_interval);
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index e1c2bc533f..ebe206d266 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -28,7 +28,8 @@ event Comm::remote_connection_broken%(peer_address: string,
 event Comm::remote_connection_incompatible%(peer_address: string,
                                             peer_port: port%);
 
-function Comm::listen%(p: port, a: string &default = ""%): bool
+function Comm::listen%(p: port, a: string &default = "",
+					   reuse: bool &default = T%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -36,7 +37,8 @@ function Comm::listen%(p: port, a: string &default = ""%): bool
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0);
+	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
+								 reuse);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
diff --git a/src/main.cc b/src/main.cc
index a7099cb90b..5385ca7993 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -944,7 +944,7 @@ int main(int argc, char** argv)
 
 #ifdef ENABLE_BROKER
 	comm_mgr->InitPostScript();
-	iosource_mgr->Register(comm_mgr);
+	iosource_mgr->Register(comm_mgr, true);
 #endif
 
 #ifdef USE_PERFTOOLS_DEBUG
diff --git a/testing/btest/Baseline/comm.remote_event/recv.recv.out b/testing/btest/Baseline/comm.remote_event/recv.recv.out
new file mode 100644
index 0000000000..7dab0284ea
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_event/recv.recv.out
@@ -0,0 +1,6 @@
+got event msg, ping, 0
+got event msg, ping, 1
+got event msg, ping, 2
+got event msg, ping, 3
+got event msg, ping, 4
+got event msg, ping, 5
diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/comm.remote_event/send.send.out
new file mode 100644
index 0000000000..ef1f7bc7e1
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_event/send.send.out
@@ -0,0 +1,13 @@
+Comm::remote_connection_established, 127.0.0.1, 9999/tcp
+got event msg, pong, 0
+got auto event msg, ping, 0
+got event msg, pong, 1
+got auto event msg, ping, 1
+got event msg, pong, 2
+got auto event msg, ping, 2
+got event msg, pong, 3
+got auto event msg, ping, 3
+got event msg, pong, 4
+got auto event msg, ping, 4
+got event msg, pong, 5
+got auto event msg, ping, 5
diff --git a/testing/btest/Baseline/comm.remote_log/recv.recv.out b/testing/btest/Baseline/comm.remote_log/recv.recv.out
new file mode 100644
index 0000000000..3e0957442d
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_log/recv.recv.out
@@ -0,0 +1,6 @@
+wrote log, [msg=ping, num=0]
+wrote log, [msg=ping, num=1]
+wrote log, [msg=ping, num=2]
+wrote log, [msg=ping, num=3]
+wrote log, [msg=ping, num=4]
+wrote log, [msg=ping, num=5]
diff --git a/testing/btest/Baseline/comm.remote_log/recv.test.log b/testing/btest/Baseline/comm.remote_log/recv.test.log
new file mode 100644
index 0000000000..0d6dae756c
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_log/recv.test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2015-01-26-22-47-11
+#fields	msg	num
+#types	string	count
+ping	0
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2015-01-26-22-47-11
diff --git a/testing/btest/Baseline/comm.remote_log/send.send.out b/testing/btest/Baseline/comm.remote_log/send.send.out
new file mode 100644
index 0000000000..0968e6beb9
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_log/send.send.out
@@ -0,0 +1 @@
+Comm::remote_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/comm.remote_log/send.test.log b/testing/btest/Baseline/comm.remote_log/send.test.log
new file mode 100644
index 0000000000..0d6dae756c
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_log/send.test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2015-01-26-22-47-11
+#fields	msg	num
+#types	string	count
+ping	0
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2015-01-26-22-47-11
diff --git a/testing/btest/Baseline/comm.remote_print/recv.recv.out b/testing/btest/Baseline/comm.remote_print/recv.recv.out
new file mode 100644
index 0000000000..6e5a37abbf
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_print/recv.recv.out
@@ -0,0 +1,6 @@
+got print msg, ping 0
+got print msg, ping 1
+got print msg, ping 2
+got print msg, ping 3
+got print msg, ping 4
+got print msg, ping 5
diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/comm.remote_print/send.send.out
new file mode 100644
index 0000000000..982ee993f6
--- /dev/null
+++ b/testing/btest/Baseline/comm.remote_print/send.send.out
@@ -0,0 +1,7 @@
+Comm::remote_connection_established, 127.0.0.1, 9999/tcp
+got print msg, pong 0
+got print msg, pong 1
+got print msg, pong 2
+got print msg, pong 3
+got print msg, pong 4
+got print msg, pong 5
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 43f29d40a1..2eea514357 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -1,5 +1,5 @@
 [btest]
-TestDirs    = doc bifs language core scripts istate coverage signatures plugins
+TestDirs    = doc bifs language core scripts istate coverage signatures plugins comm
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
new file mode 100644
index 0000000000..9ab9a6b224
--- /dev/null
+++ b/testing/btest/comm/remote_event.test
@@ -0,0 +1,100 @@
+# @TEST_SERIALIZE: brokercomm
+# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+global event_handler: event(msg: string, c: count);
+global auto_event_handler: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::subscribe_to_events("bro/event/");
+	Comm::auto_event("bro/event/my_topic", auto_event_handler);
+	}
+
+global event_count = 0;
+
+event event_handler(msg: string, n: count)
+	{
+	event auto_event_handler(msg, n);
+	print "got event msg", msg, n;
+	local args = Comm::event_args(event_handler, "pong", event_count);
+	Comm::event("bro/event/my_topic", args);
+	++event_count;
+
+	if ( n == 5 )
+		terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+global event_handler: event(msg: string, c: count);
+global auto_event_handler: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::subscribe_to_events("bro/event/my_topic");
+	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	}
+
+global event_count = 0;
+
+event Comm::remote_connection_established(peer_address: string,
+                                          peer_port: port,
+                                          peer_name: string)
+	{
+	print "Comm::remote_connection_established", peer_address, peer_port;
+	local args = Comm::event_args(event_handler, "ping", event_count);
+	Comm::event("bro/event/hi", args);
+	++event_count;
+	}
+
+global done = F;
+global done_auto = F;
+
+function check_terminate()
+	{
+	if ( done && done_auto )
+		terminate();
+	}
+
+event event_handler(msg: string, n: count)
+	{
+	print "got event msg", msg, n;
+	local args = Comm::event_args(event_handler, "ping", event_count);
+    Comm::event("bro/event/hi", args);
+	++event_count;
+
+	if ( n == 5 )
+		{
+		done = T;
+		check_terminate();
+		}
+	}
+
+event auto_event_handler(msg: string, n: count)
+	{
+	print "got auto event msg", msg, n;
+
+	if ( n == 5 )
+		{
+		done_auto = T;
+		check_terminate();
+		}
+	}
+	
+@TEST-END-FILE
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
new file mode 100644
index 0000000000..aea88cdc25
--- /dev/null
+++ b/testing/btest/comm/remote_log.test
@@ -0,0 +1,87 @@
+# @TEST_SERIALIZE: brokercomm
+# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		num: count &log;
+	};
+
+	global log_test: event(rec: Test::Info);
+
+	event bro_init() &priority=5
+		{
+		Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+		}
+}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::subscribe_to_logs("bro/log/");
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+
+	if ( rec$num == 5 )
+		terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::enable_remote_logs(Test::LOG);
+	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	}
+
+global n = 0;
+
+event do_write()
+	{
+	if ( n == 6 )
+		terminate();
+	else
+		{
+		Log::write(Test::LOG, [$msg = "ping", $num = n]);
+		++n;
+		event do_write();
+		}
+	}
+
+event Comm::remote_connection_established(peer_address: string,
+                                          peer_port: port,
+                                          peer_name: string)
+	{
+	print "Comm::remote_connection_established", peer_address, peer_port;
+	event do_write();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
new file mode 100644
index 0000000000..48dfd98bed
--- /dev/null
+++ b/testing/btest/comm/remote_print.test
@@ -0,0 +1,66 @@
+# @TEST_SERIALIZE: brokercomm
+# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::subscribe_to_prints("bro/print/");
+	}
+
+global n = 0;
+
+event Comm::print_handler(msg: string)
+	{
+	print "got print msg", msg;
+	Comm::print("bro/print/my_topic", fmt("pong %d", n));
+	++n;
+
+	if ( msg == "ping 5" )
+		terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::subscribe_to_prints("bro/print/my_topic");
+	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	}
+
+global n = 0;
+
+event Comm::remote_connection_established(peer_address: string,
+                                          peer_port: port,
+                                          peer_name: string)
+	{
+	print "Comm::remote_connection_established", peer_address, peer_port;
+	Comm::print("bro/print/hi", fmt("ping %d", n));
+	++n;
+	}
+
+event Comm::print_handler(msg: string)
+	{
+	print "got print msg", msg;
+	Comm::print("bro/print/hi", fmt("ping %d", n));
+	++n;
+
+	if ( msg == "pong 5" )
+		terminate();
+	}
+
+@TEST-END-FILE

From 0537711fd4b83ded01e430bd8d6192fcc3619bdd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 27 Jan 2015 10:48:05 -0600
Subject: [PATCH 019/109] update broker submodule

---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index ebc66f484a..177bdfac2c 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit ebc66f484af27a32dc5d91b1c985638847e35cf6
+Subproject commit 177bdfac2c768d9ed8f3edb10e9e2dbd0d6f8723

From d2ea87735a5a9cb34c5df4a4d4de83d399681e53 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 29 Jan 2015 10:42:48 -0600
Subject: [PATCH 020/109] broker integration: add bifs to inspect/manipulate
 broker data

i.e. script-layer functions to convert between bro values and broker
values; mostly for use w/ Bro's data store interface (coming soon).
---
 scripts/base/frameworks/comm/main.bro |   5 +
 src/Reporter.cc                       |  13 +
 src/Reporter.h                        |   4 +
 src/comm/Data.cc                      | 168 ++++++++-
 src/comm/Data.h                       | 155 +++++++-
 src/comm/Manager.cc                   |  26 +-
 src/comm/Manager.h                    |  15 +-
 src/comm/comm.bif                     | 490 ++++++++++++++++++++++++++
 testing/btest/Baseline/comm.data/out  |  99 ++++++
 testing/btest/comm/data.bro           | 219 ++++++++++++
 10 files changed, 1154 insertions(+), 40 deletions(-)
 create mode 100644 testing/btest/Baseline/comm.data/out
 create mode 100644 testing/btest/comm/data.bro

diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index efe3069a1c..974e5e43af 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -19,4 +19,9 @@ export {
 		name: string &optional;  # nil for invalid event/args.
 		args: vector of Comm::Data;
 	};
+
+	type Comm::TableItem : record {
+		key: Comm::Data;
+		val: Comm::Data;
+	};
 }
diff --git a/src/Reporter.cc b/src/Reporter.cc
index 9002633b10..cd1aa09d4c 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -123,6 +123,19 @@ void Reporter::ExprRuntimeError(const Expr* expr, const char* fmt, ...)
 	throw InterpreterException();
 	}
 
+void Reporter::RuntimeError(const Location* location, const char* fmt, ...)
+	{
+	++errors;
+	PushLocation(location);
+	va_list ap;
+	va_start(ap, fmt);
+	FILE* out = errors_to_stderr ? stderr : 0;
+	DoLog("runtime error", reporter_error, out, 0, 0, true, true, "", fmt, ap);
+	va_end(ap);
+	PopLocation();
+	throw InterpreterException();
+	}
+
 void Reporter::InternalError(const char* fmt, ...)
 	{
 	va_list ap;
diff --git a/src/Reporter.h b/src/Reporter.h
index e477ad8934..52bcd7d02a 100644
--- a/src/Reporter.h
+++ b/src/Reporter.h
@@ -73,6 +73,10 @@ public:
 	// function will not return but raise an InterpreterException.
 	void ExprRuntimeError(const Expr* expr, const char* fmt, ...);
 
+	// Report a runtime error in evaluating a Bro script expression. This
+	// function will not return but raise an InterpreterException.
+	void RuntimeError(const Location* location, const char* fmt, ...);
+
 	// Report a traffic weirdness, i.e., an unexpected protocol situation
 	// that may lead to incorrectly processing a connnection.
 	void Weird(const char* name);	// Raises net_weird().
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index b279b97529..f32bedd885 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -4,6 +4,10 @@
 using namespace std;
 
 OpaqueType* comm::opaque_of_data_type;
+OpaqueType* comm::opaque_of_set_iterator;
+OpaqueType* comm::opaque_of_table_iterator;
+OpaqueType* comm::opaque_of_vector_iterator;
+OpaqueType* comm::opaque_of_record_iterator;
 
 static broker::port::protocol to_broker_port_proto(TransportProto tp)
 	{
@@ -20,7 +24,7 @@ static broker::port::protocol to_broker_port_proto(TransportProto tp)
 	}
 	}
 
-static TransportProto to_bro_port_proto(broker::port::protocol tp)
+TransportProto comm::to_bro_port_proto(broker::port::protocol tp)
 	{
 	switch ( tp ) {
 	case broker::port::protocol::tcp:
@@ -70,7 +74,7 @@ struct val_converter {
 		return nullptr;
 		}
 
-	result_type operator()(const std::string& a)
+	result_type operator()(std::string& a)
 		{
 		switch ( type->Tag() ) {
 		case TYPE_STRING:
@@ -103,7 +107,7 @@ struct val_converter {
 		}
 		}
 
-	result_type operator()(const broker::address& a)
+	result_type operator()(broker::address& a)
 		{
 		if ( type->Tag() == TYPE_ADDR )
 			{
@@ -114,7 +118,7 @@ struct val_converter {
 		return nullptr;
 		}
 
-	result_type operator()(const broker::subnet& a)
+	result_type operator()(broker::subnet& a)
 		{
 		if ( type->Tag() == TYPE_SUBNET )
 			{
@@ -125,15 +129,15 @@ struct val_converter {
 		return nullptr;
 		}
 
-	result_type operator()(const broker::port& a)
+	result_type operator()(broker::port& a)
 		{
 		if ( type->Tag() == TYPE_PORT )
-			return new PortVal(a.number(), to_bro_port_proto(a.type()));
+			return new PortVal(a.number(), comm::to_bro_port_proto(a.type()));
 
 		return nullptr;
 		}
 
-	result_type operator()(const broker::time_point& a)
+	result_type operator()(broker::time_point& a)
 		{
 		if ( type->Tag() == TYPE_TIME )
 			return new Val(a.value, TYPE_TIME);
@@ -141,7 +145,7 @@ struct val_converter {
 		return nullptr;
 		}
 
-	result_type operator()(const broker::time_duration& a)
+	result_type operator()(broker::time_duration& a)
 		{
 		if ( type->Tag() == TYPE_INTERVAL )
 			return new Val(a.value, TYPE_INTERVAL);
@@ -149,7 +153,7 @@ struct val_converter {
 		return nullptr;
 		}
 
-	result_type operator()(const broker::enum_value& a)
+	result_type operator()(broker::enum_value& a)
 		{
 		if ( type->Tag() == TYPE_ENUM )
 			{
@@ -175,12 +179,13 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
+			broker::vector composite_key;
 			auto indices = broker::get<broker::vector>(item);
 
 			if ( ! indices )
 				{
-				Unref(rval);
-				return nullptr;
+				composite_key.emplace_back(move(item));
+				indices = &composite_key;
 				}
 
 			auto expected_index_types = tt->Indices()->Types();
@@ -226,12 +231,13 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
+			broker::vector composite_key;
 			auto indices = broker::get<broker::vector>(item.first);
 
 			if ( ! indices )
 				{
-				Unref(rval);
-				return nullptr;
+				composite_key.emplace_back(move(item.first));
+				indices = &composite_key;
 				}
 
 			auto expected_index_types = tt->Indices()->Types();
@@ -341,7 +347,7 @@ Val* comm::data_to_val(broker::data d, BroType* type)
 	return broker::visit(val_converter{type}, d);
 	}
 
-broker::util::optional<broker::data> comm::val_to_data(const Val* v)
+broker::util::optional<broker::data> comm::val_to_data(Val* v)
 	{
 	switch ( v->Type()->Tag() ) {
 	case TYPE_BOOL:
@@ -388,7 +394,7 @@ broker::util::optional<broker::data> comm::val_to_data(const Val* v)
 		{
 		auto enum_type = v->Type()->AsEnumType();
 		auto enum_name = enum_type->Lookup(v->AsEnum());
-		return {broker::enum_value(enum_name ? "<unknown enum>" : enum_name)};
+		return {broker::enum_value(enum_name ? enum_name : "<unknown enum>")};
 		}
 	case TYPE_STRING:
 		{
@@ -433,7 +439,9 @@ broker::util::optional<broker::data> comm::val_to_data(const Val* v)
 			auto entry = table->NextEntry(k, c);
 			auto vl = table_val->RecoverIndex(k);
 			iter_guard ig(k, vl);
-			broker::vector key;
+
+			broker::vector composite_key;
+			composite_key.reserve(vl->Length());
 
 			for ( auto k = 0; k < vl->Length(); ++k )
 				{
@@ -442,9 +450,16 @@ broker::util::optional<broker::data> comm::val_to_data(const Val* v)
 				if ( ! key_part )
 					return {};
 
-				key.emplace_back(move(*key_part));
+				composite_key.emplace_back(move(*key_part));
 				}
 
+			broker::data key;
+
+			if ( composite_key.size() == 1 )
+				key = move(composite_key[0]);
+			else
+				key = move(composite_key);
+
 			if ( is_set )
 				broker::get<broker::set>(rval)->emplace(move(key));
 			else
@@ -521,7 +536,7 @@ broker::util::optional<broker::data> comm::val_to_data(const Val* v)
 	return {};
 	}
 
-RecordVal* comm::make_data_val(const Val* v)
+RecordVal* comm::make_data_val(Val* v)
 	{
 	auto rval = new RecordVal(BifType::Record::Comm::Data);
 	auto data = val_to_data(v);
@@ -531,3 +546,120 @@ RecordVal* comm::make_data_val(const Val* v)
 
 	return rval;
 	}
+
+RecordVal* comm::make_data_val(broker::data d)
+	{
+	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	rval->Assign(0, new DataVal(move(d)));
+	return rval;
+	}
+
+struct data_type_getter {
+	using result_type = EnumVal*;
+
+	result_type operator()(bool a)
+		{
+		return new EnumVal(BifEnum::Comm::BOOL,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(uint64_t a)
+		{
+		return new EnumVal(BifEnum::Comm::COUNT,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(int64_t a)
+		{
+		return new EnumVal(BifEnum::Comm::INT,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(double a)
+		{
+		return new EnumVal(BifEnum::Comm::DOUBLE,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const std::string& a)
+		{
+		return new EnumVal(BifEnum::Comm::STRING,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::address& a)
+		{
+		return new EnumVal(BifEnum::Comm::ADDR,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::subnet& a)
+		{
+		return new EnumVal(BifEnum::Comm::SUBNET,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::port& a)
+		{
+		return new EnumVal(BifEnum::Comm::PORT,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::time_point& a)
+		{
+		return new EnumVal(BifEnum::Comm::TIME,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::time_duration& a)
+		{
+		return new EnumVal(BifEnum::Comm::INTERVAL,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::enum_value& a)
+		{
+		return new EnumVal(BifEnum::Comm::ENUM,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::set& a)
+		{
+		return new EnumVal(BifEnum::Comm::SET,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::table& a)
+		{
+		return new EnumVal(BifEnum::Comm::TABLE,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::vector& a)
+		{
+		return new EnumVal(BifEnum::Comm::VECTOR,
+		                   BifType::Enum::Comm::DataType);
+		}
+
+	result_type operator()(const broker::record& a)
+		{
+		return new EnumVal(BifEnum::Comm::RECORD,
+		                   BifType::Enum::Comm::DataType);
+		}
+};
+
+EnumVal* comm::get_data_type(RecordVal* v, Frame* frame)
+	{
+	return broker::visit(data_type_getter{}, opaque_field_to_data(v, frame));
+	}
+
+broker::data& comm::opaque_field_to_data(RecordVal* v, Frame* f)
+	{
+	Val* d = v->Lookup(0);
+
+	if ( ! d )
+		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
+		                       "Comm::Data's opaque field is not set");
+
+	return static_cast<DataVal*>(d)->data;
+	}
diff --git a/src/comm/Data.h b/src/comm/Data.h
index e3197b61da..c720dcda71 100644
--- a/src/comm/Data.h
+++ b/src/comm/Data.h
@@ -3,14 +3,27 @@
 
 #include <broker/data.hh>
 #include "Val.h"
+#include "Reporter.h"
+#include "Frame.h"
+#include "Expr.h"
 
 namespace comm {
 
 extern OpaqueType* opaque_of_data_type;
+extern OpaqueType* opaque_of_set_iterator;
+extern OpaqueType* opaque_of_table_iterator;
+extern OpaqueType* opaque_of_vector_iterator;
+extern OpaqueType* opaque_of_record_iterator;
 
-RecordVal* make_data_val(const Val* v);
+TransportProto to_bro_port_proto(broker::port::protocol tp);
 
-broker::util::optional<broker::data> val_to_data(const Val* v);
+RecordVal* make_data_val(Val* v);
+
+RecordVal* make_data_val(broker::data d);
+
+EnumVal* get_data_type(RecordVal* v, Frame* frame);
+
+broker::util::optional<broker::data> val_to_data(Val* v);
 
 Val* data_to_val(broker::data d, BroType* type);
 
@@ -21,9 +34,147 @@ public:
 		: OpaqueVal(comm::opaque_of_data_type), data(std::move(arg_data))
 		{}
 
+	void ValDescribe(ODesc* d) const override
+		{
+		d->Add("broker::data{");
+		d->Add(broker::to_string(data));
+		d->Add("}");
+		}
+
 	broker::data data;
 };
 
+struct type_name_getter {
+	using result_type = const char*;
+
+	result_type operator()(bool a)
+		{ return "bool"; }
+
+	result_type operator()(uint64_t a)
+		{ return "uint64_t"; }
+
+	result_type operator()(int64_t a)
+		{ return "int64_t"; }
+
+	result_type operator()(double a)
+		{ return "double"; }
+
+	result_type operator()(const std::string& a)
+		{ return "string"; }
+
+	result_type operator()(const broker::address& a)
+		{ return "address"; }
+
+	result_type operator()(const broker::subnet& a)
+		{ return "subnet"; }
+
+	result_type operator()(const broker::port& a)
+		{ return "port"; }
+
+	result_type operator()(const broker::time_point& a)
+		{ return "time"; }
+
+	result_type operator()(const broker::time_duration& a)
+		{ return "interval"; }
+
+	result_type operator()(const broker::enum_value& a)
+		{ return "enum"; }
+
+	result_type operator()(const broker::set& a)
+		{ return "set"; }
+
+	result_type operator()(const broker::table& a)
+		{ return "table"; }
+
+	result_type operator()(const broker::vector& a)
+		{ return "vector"; }
+
+	result_type operator()(const broker::record& a)
+		{ return "record"; }
+};
+
+broker::data& opaque_field_to_data(RecordVal* v, Frame* f);
+
+template <typename T>
+T& require_data_type(broker::data& d, TypeTag tag, Frame* f)
+	{
+	auto ptr = broker::get<T>(d);
+
+	if ( ! ptr )
+		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
+		                       "data is of type '%s' not of type '%s'",
+		                       broker::visit(type_name_getter{}, d),
+		                       type_name(tag));
+
+	return *ptr;
+	}
+
+template <typename T>
+inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f)
+	{
+	return require_data_type<T>(opaque_field_to_data(v, f), tag, f);
+	}
+
+template <typename T>
+inline Val* refine(RecordVal* v, TypeTag tag, Frame* f)
+	{
+	return new Val(require_data_type<T>(v, tag, f), tag);
+	}
+
+// Copying data in to iterator vals is not the fastest approach, but safer...
+
+class SetIterator : public OpaqueVal {
+public:
+
+	SetIterator(RecordVal* v, TypeTag tag, Frame* f)
+	    : OpaqueVal(comm::opaque_of_set_iterator),
+	      dat(require_data_type<broker::set>(v, TYPE_TABLE, f)),
+	      it(dat.begin())
+		{}
+
+	broker::set dat;
+	broker::set::iterator it;
+};
+
+class TableIterator : public OpaqueVal {
+public:
+
+	TableIterator(RecordVal* v, TypeTag tag, Frame* f)
+	    : OpaqueVal(comm::opaque_of_table_iterator),
+	      dat(require_data_type<broker::table>(v, TYPE_TABLE, f)),
+	      it(dat.begin())
+		{}
+
+	broker::table dat;
+	broker::table::iterator it;
+};
+
+class VectorIterator : public OpaqueVal {
+public:
+
+	VectorIterator(RecordVal* v, TypeTag tag, Frame* f)
+	    : OpaqueVal(comm::opaque_of_vector_iterator),
+	      dat(require_data_type<broker::vector>(v, TYPE_VECTOR, f)),
+	      it(dat.begin())
+		{}
+
+	broker::vector dat;
+	broker::vector::iterator it;
+};
+
+class RecordIterator : public OpaqueVal {
+public:
+
+	RecordIterator(RecordVal* v, TypeTag tag, Frame* f)
+	    : OpaqueVal(comm::opaque_of_record_iterator),
+	      dat(require_data_type<broker::record>(v, TYPE_VECTOR, f)),
+	      it(dat.fields.begin())
+		{}
+
+	broker::record dat;
+	decltype(broker::record::fields)::iterator it;
+};
+
 } // namespace comm
 
 #endif // BRO_COMM_DATA_H
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index bc0bc3f8a8..e64c74c377 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -22,7 +22,7 @@ bool comm::Manager::InitPreScript()
 	return true;
 	}
 
-static int require_field(const RecordType* rt, const char* name)
+static int require_field(RecordType* rt, const char* name)
 	{
 	auto rval = rt->FieldOffset(name);
 
@@ -43,6 +43,10 @@ bool comm::Manager::InitPostScript()
 	log_id_type = internal_type("Log::ID")->AsEnumType();
 
 	comm::opaque_of_data_type = new OpaqueType("Comm::Data");
+	comm::opaque_of_set_iterator = new OpaqueType("Comm::SetIterator");
+	comm::opaque_of_table_iterator = new OpaqueType("Comm::TableIterator");
+	comm::opaque_of_vector_iterator = new OpaqueType("Comm::VectorIterator");
+	comm::opaque_of_record_iterator = new OpaqueType("Comm::RecordIterator");
 	vector_of_data_type = new VectorType(internal_type("Comm::Data")->Ref());
 
 	auto res = broker::init();
@@ -110,7 +114,7 @@ bool comm::Manager::Disconnect(const string& addr, uint16_t port)
 	return rval;
 	}
 
-bool comm::Manager::Print(string topic, string msg, const Val* flags)
+bool comm::Manager::Print(string topic, string msg, Val* flags)
 	{
 	endpoint->send(move(topic), broker::message{move(msg)}, GetFlags(flags));
 	return true;
@@ -122,8 +126,7 @@ bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
 	return true;
 	}
 
-bool comm::Manager::Log(const EnumVal* stream, const RecordVal* columns,
-                        int flags)
+bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, int flags)
 	{
 	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
 
@@ -150,8 +153,7 @@ bool comm::Manager::Log(const EnumVal* stream, const RecordVal* columns,
 	return true;
 	}
 
-bool comm::Manager::Event(std::string topic, const RecordVal* args,
-                          const Val* flags)
+bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags)
 	{
 	if ( ! args->Lookup(0) )
 		return false;
@@ -165,7 +167,7 @@ bool comm::Manager::Event(std::string topic, const RecordVal* args,
 	for ( auto i = 0u; i < vv->Size(); ++i )
 		{
 		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
-		auto data_val = dynamic_cast<DataVal*>(val);
+		auto data_val = static_cast<DataVal*>(val);
 		msg.emplace_back(data_val->data);
 		}
 
@@ -173,7 +175,7 @@ bool comm::Manager::Event(std::string topic, const RecordVal* args,
 	return true;
 	}
 
-bool comm::Manager::AutoEvent(string topic, const Val* event, const Val* flags)
+bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 	{
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
@@ -202,7 +204,7 @@ bool comm::Manager::AutoEvent(string topic, const Val* event, const Val* flags)
 	return true;
 	}
 
-bool comm::Manager::AutoEventStop(const string& topic, const Val* event)
+bool comm::Manager::AutoEventStop(const string& topic, Val* event)
 	{
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
@@ -232,12 +234,12 @@ bool comm::Manager::AutoEventStop(const string& topic, const Val* event)
 	return true;
 	}
 
-RecordVal* comm::Manager::MakeEventArgs(const val_list* args)
+RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 	{
 	auto rval = new RecordVal(BifType::Record::Comm::EventArgs);
 	auto arg_vec = new VectorVal(vector_of_data_type);
 	rval->Assign(1, arg_vec);
-	const Func* func;
+	Func* func;
 
 	for ( auto i = 0u; i < args->length(); ++i )
 		{
@@ -347,7 +349,7 @@ bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix)
 	return log_subscriptions.erase(topic_prefix);
 	}
 
-int comm::Manager::GetFlags(const Val* flags)
+int comm::Manager::GetFlags(Val* flags)
 	{
 	auto r = flags->AsRecordVal();
 	int rval = 0;
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 5e3ec350b8..44f5eb0f2b 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -31,18 +31,18 @@ public:
 
 	bool Disconnect(const std::string& addr, uint16_t port);
 
-	bool Print(std::string topic, std::string msg, const Val* flags);
+	bool Print(std::string topic, std::string msg, Val* flags);
 
 	bool Event(std::string topic, broker::message msg, int flags);
-	bool Event(std::string topic, const RecordVal* args, const Val* flags);
+	bool Event(std::string topic, RecordVal* args, Val* flags);
 
-	bool Log(const EnumVal* stream_id, const RecordVal* columns, int flags);
+	bool Log(EnumVal* stream_id, RecordVal* columns, int flags);
 
-	bool AutoEvent(std::string topic, const Val* event, const Val* flags);
+	bool AutoEvent(std::string topic, Val* event, Val* flags);
 
-	bool AutoEventStop(const std::string& topic, const Val* event);
+	bool AutoEventStop(const std::string& topic, Val* event);
 
-	RecordVal* MakeEventArgs(const val_list* args);
+	RecordVal* MakeEventArgs(val_list* args);
 
 	bool SubscribeToPrints(std::string topic_prefix);
 
@@ -56,7 +56,7 @@ public:
 
 	bool UnsubscribeToLogs(const std::string& topic_prefix);
 
-	static int GetFlags(const Val* flags);
+	static int GetFlags(Val* flags);
 
 private:
 
@@ -82,7 +82,6 @@ private:
 	static int send_flags_self_idx;
 	static int send_flags_peers_idx;
 	static int send_flags_unsolicited_idx;
-
 };
 
 } // namespace comm
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index ebe206d266..b2ce0fb415 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -7,17 +7,507 @@
 
 module Comm;
 
+enum DataType %{
+	BOOL,
+	INT,
+	COUNT,
+	DOUBLE,
+	STRING,
+	ADDR,
+	SUBNET,
+	PORT,
+	TIME,
+	INTERVAL,
+	ENUM,
+	SET,
+	TABLE,
+	VECTOR,
+	RECORD,
+%}
+
 type Comm::SendFlags: record;
 
 type Comm::Data: record;
 
 type Comm::EventArgs: record;
 
+type Comm::TableItem: record;
+
 function Comm::data%(d: any%): Comm::Data
 	%{
 	return comm::make_data_val(d);
 	%}
 
+function Comm::data_type%(d: Comm::Data%): Comm::DataType
+	%{
+	return comm::get_data_type(d->AsRecordVal(), frame);
+	%}
+
+function Comm::refine_to_bool%(d: Comm::Data%): bool
+	%{
+	return comm::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
+	%}
+
+function Comm::refine_to_int%(d: Comm::Data%): int
+	%{
+	return comm::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
+	%}
+
+function Comm::refine_to_count%(d: Comm::Data%): count
+	%{
+	return comm::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
+	%}
+
+function Comm::refine_to_double%(d: Comm::Data%): double
+	%{
+	return comm::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
+	%}
+
+function Comm::refine_to_string%(d: Comm::Data%): string
+	%{
+	return new StringVal(comm::require_data_type<std::string>(d->AsRecordVal(),
+												              TYPE_STRING,
+															  frame));
+	%}
+
+function Comm::refine_to_addr%(d: Comm::Data%): addr
+	%{
+	auto& a = comm::require_data_type<broker::address>(d->AsRecordVal(),
+													   TYPE_ADDR, frame);
+	auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
+	return new AddrVal(IPAddr(*bits));
+	%}
+
+function Comm::refine_to_subnet%(d: Comm::Data%): subnet
+	%{
+	auto& a = comm::require_data_type<broker::subnet>(d->AsRecordVal(),
+													  TYPE_SUBNET, frame);
+	auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes());
+	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
+	%}
+
+function Comm::refine_to_port%(d: Comm::Data%): port
+	%{
+	auto& a = comm::require_data_type<broker::port>(d->AsRecordVal(),
+													TYPE_SUBNET, frame);
+	return new PortVal(a.number(), comm::to_bro_port_proto(a.type()));
+	%}
+
+function Comm::refine_to_time%(d: Comm::Data%): time
+	%{
+	auto v = comm::require_data_type<broker::time_point>(d->AsRecordVal(),
+														TYPE_TIME, frame).value;
+	return new Val(v, TYPE_TIME);
+	%}
+
+function Comm::refine_to_interval%(d: Comm::Data%): interval
+	%{
+	auto v = comm::require_data_type<broker::time_duration>(d->AsRecordVal(),
+														TYPE_TIME, frame).value;
+	return new Val(v, TYPE_INTERVAL);
+	%}
+
+function Comm::refine_to_enum_name%(d: Comm::Data%): string
+	%{
+	auto& v = comm::require_data_type<broker::enum_value>(d->AsRecordVal(),
+														TYPE_ENUM, frame).name;
+	return new StringVal(v);
+	%}
+
+function Comm::set_create%(%): Comm::Data
+	%{
+	return comm::make_data_val(broker::set());
+	%}
+
+function Comm::set_clear%(s: Comm::Data%): bool
+	%{
+	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+												   frame);
+	v.clear();
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Comm::set_size%(s: Comm::Data%): count
+	%{
+	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+												   frame);
+	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
+	%}
+
+function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool
+	%{
+	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+												   frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	return new Val(v.find(k) != v.end(), TYPE_BOOL);
+	%}
+
+function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool
+	%{
+	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+												   frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	return new Val(v.insert(k).second, TYPE_BOOL);
+	%}
+
+function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool
+	%{
+	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+												   frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	return new Val(v.erase(k) > 0, TYPE_BOOL);
+	%}
+
+function Comm::set_iterator%(s: Comm::Data%): opaque of Comm::SetIterator
+	%{
+	return new comm::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame);
+	%}
+
+function Comm::set_iterator_last%(it: opaque of Comm::SetIterator%): bool
+	%{
+	auto set_it = static_cast<comm::SetIterator*>(it);
+	return new Val(set_it->it == set_it->dat.end(), TYPE_BOOL);
+	%}
+
+function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool
+	%{
+	auto set_it = static_cast<comm::SetIterator*>(it);
+
+	if ( set_it->it == set_it->dat.end() )
+		return new Val(false, TYPE_BOOL);
+
+	++set_it->it;
+	return new Val(set_it->it != set_it->dat.end(), TYPE_BOOL);
+	%}
+
+function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data
+	%{
+	auto set_it = static_cast<comm::SetIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::Comm::Data);
+
+	if ( set_it->it == set_it->dat.end() )
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		reporter->Warning("attempt to retrieve value of invalid set iterator");
+		reporter->PopLocation();
+		return rval;
+		}
+
+	rval->Assign(0, new comm::DataVal(*set_it->it));
+	return rval;
+	%}
+
+function Comm::table_create%(%): Comm::Data
+	%{
+	return comm::make_data_val(broker::table());
+	%}
+
+function Comm::table_clear%(t: Comm::Data%): bool
+	%{
+	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
+													 TYPE_TABLE, frame);
+	v.clear();
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Comm::table_size%(t: Comm::Data%): count
+	%{
+	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
+													 TYPE_TABLE, frame);
+	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
+	%}
+
+function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool
+	%{
+	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
+													 TYPE_TABLE, frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	return new Val(v.find(k) != v.end(), TYPE_BOOL);
+	%}
+
+function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%): Comm::Data
+	%{
+	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
+													     TYPE_TABLE, frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& v = comm::opaque_field_to_data(val->AsRecordVal(), frame);
+
+	try
+		{
+		auto& prev = table.at(k);
+		auto rval = comm::make_data_val(move(prev));
+		prev = v;
+		return rval;
+		}
+	catch (const std::out_of_range&)
+		{
+		table[k] = v;
+		return new RecordVal(BifType::Record::Comm::Data);
+		}
+	%}
+
+function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data
+	%{
+	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
+													     TYPE_TABLE, frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto it = table.find(k);
+
+	if ( it == table.end() )
+		return new RecordVal(BifType::Record::Comm::Data);
+	else
+		{
+		auto rval = comm::make_data_val(move(it->second));
+		table.erase(it);
+		return rval;
+		}
+	%}
+
+function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data
+	%{
+	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
+													     TYPE_TABLE, frame);
+	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto it = table.find(k);
+
+	if ( it == table.end() )
+		return new RecordVal(BifType::Record::Comm::Data);
+	else
+		return comm::make_data_val(it->second);
+	%}
+
+function Comm::table_iterator%(t: Comm::Data%): opaque of Comm::TableIterator
+	%{
+	return new comm::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame);
+	%}
+
+function Comm::table_iterator_last%(it: opaque of Comm::TableIterator%): bool
+	%{
+	auto ti = static_cast<comm::TableIterator*>(it);
+	return new Val(ti->it == ti->dat.end(), TYPE_BOOL);
+	%}
+
+function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool
+	%{
+	auto ti = static_cast<comm::TableIterator*>(it);
+
+	if ( ti->it == ti->dat.end() )
+		return new Val(false, TYPE_BOOL);
+
+	++ti->it;
+	return new Val(ti->it != ti->dat.end(), TYPE_BOOL);
+	%}
+
+function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm::TableItem
+	%{
+	auto ti = static_cast<comm::TableIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::Comm::TableItem);
+	auto key_val = new RecordVal(BifType::Record::Comm::Data);
+	auto val_val = new RecordVal(BifType::Record::Comm::Data);
+	rval->Assign(0, key_val);
+	rval->Assign(1, val_val);
+
+	if ( ti->it == ti->dat.end() )
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		reporter->Warning("attempt to retrieve value of invalid table iterator");
+		reporter->PopLocation();
+		return rval;
+		}
+
+	key_val->Assign(0, new comm::DataVal(ti->it->first));
+	val_val->Assign(0, new comm::DataVal(ti->it->second));
+	return rval;
+	%}
+
+function Comm::vector_create%(%): Comm::Data
+	%{
+	return comm::make_data_val(broker::vector());
+	%}
+
+function Comm::vector_clear%(v: Comm::Data%): bool
+	%{
+	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+													    TYPE_VECTOR, frame);
+	vec.clear();
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Comm::vector_size%(v: Comm::Data%): count
+	%{
+	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+													    TYPE_VECTOR, frame);
+	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
+	%}
+
+function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool
+	%{
+	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+													    TYPE_VECTOR, frame);
+	auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame);
+	idx = min(idx, static_cast<uint64_t>(vec.size()));
+	vec.insert(vec.begin() + idx, item);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm::Data
+	%{
+	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+													    TYPE_VECTOR, frame);
+	auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame);
+
+	if ( idx >= vec.size() )
+		return new RecordVal(BifType::Record::Comm::Data);
+
+	auto rval = comm::make_data_val(move(vec[idx]));
+	vec[idx] = item;
+	return rval;
+	%}
+
+function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data
+	%{
+	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+													    TYPE_VECTOR, frame);
+
+	if ( idx >= vec.size() )
+		return new RecordVal(BifType::Record::Comm::Data);
+
+	auto rval = comm::make_data_val(move(vec[idx]));
+	vec.erase(vec.begin() + idx);
+	return rval;
+	%}
+
+function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data
+	%{
+	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+													    TYPE_VECTOR, frame);
+
+	if ( idx >= vec.size() )
+		return new RecordVal(BifType::Record::Comm::Data);
+
+	return comm::make_data_val(vec[idx]);
+	%}
+
+function Comm::vector_iterator%(v: Comm::Data%): opaque of Comm::VectorIterator
+	%{
+	return new comm::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame);
+	%}
+
+function Comm::vector_iterator_last%(it: opaque of Comm::VectorIterator%): bool
+	%{
+	auto vi = static_cast<comm::VectorIterator*>(it);
+	return new Val(vi->it == vi->dat.end(), TYPE_BOOL);
+	%}
+
+function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool
+	%{
+	auto vi = static_cast<comm::VectorIterator*>(it);
+
+	if ( vi->it == vi->dat.end() )
+		return new Val(false, TYPE_BOOL);
+
+	++vi->it;
+	return new Val(vi->it != vi->dat.end(), TYPE_BOOL);
+	%}
+
+function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm::Data
+	%{
+	auto vi = static_cast<comm::VectorIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::Comm::Data);
+
+	if ( vi->it == vi->dat.end() )
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		reporter->Warning("attempt to retrieve value of invalid table iterator");
+		reporter->PopLocation();
+		return rval;
+		}
+
+	rval->Assign(0, new comm::DataVal(*vi->it));
+	return rval;
+	%}
+
+function Comm::record_create%(sz: count%): Comm::Data
+	%{
+	return comm::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
+	%}
+
+function Comm::record_size%(r: Comm::Data%): count
+	%{
+	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
+													  TYPE_RECORD, frame);
+	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
+	%}
+
+function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool
+	%{
+	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
+													  TYPE_RECORD, frame);
+	auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame);
+
+	if ( idx >= v.fields.size() )
+		return new Val(false, TYPE_BOOL);
+
+	v.fields[idx] = item;
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data
+	%{
+	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
+													  TYPE_RECORD, frame);
+
+	if ( idx >= v.size() )
+		return new RecordVal(BifType::Record::Comm::Data);
+
+	if ( ! v.fields[idx] )
+		return new RecordVal(BifType::Record::Comm::Data);
+
+	return comm::make_data_val(*v.fields[idx]);
+	%}
+
+function Comm::record_iterator%(r: Comm::Data%): opaque of Comm::RecordIterator
+	%{
+	return new comm::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame);
+	%}
+
+function Comm::record_iterator_last%(it: opaque of Comm::RecordIterator%): bool
+	%{
+	auto ri = static_cast<comm::RecordIterator*>(it);
+	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
+	%}
+
+function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool
+	%{
+	auto ri = static_cast<comm::RecordIterator*>(it);
+
+	if ( ri->it == ri->dat.fields.end() )
+		return new Val(false, TYPE_BOOL);
+
+	++ri->it;
+	return new Val(ri->it != ri->dat.fields.end(), TYPE_BOOL);
+	%}
+
+function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm::Data
+	%{
+	auto ri = static_cast<comm::RecordIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::Comm::Data);
+
+	if ( ri->it == ri->dat.fields.end() )
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		reporter->Warning("attempt to retrieve value of invalid record iterator");
+		reporter->PopLocation();
+		return rval;
+		}
+
+	if ( ! *ri->it )
+		return rval; // field isn't set
+
+	rval->Assign(0, new comm::DataVal(**ri->it));
+	return rval;
+	%}
+
 event Comm::remote_connection_established%(peer_address: string,
                                            peer_port: port,
                                            peer_name: string%);
diff --git a/testing/btest/Baseline/comm.data/out b/testing/btest/Baseline/comm.data/out
new file mode 100644
index 0000000000..eea78d39a2
--- /dev/null
+++ b/testing/btest/Baseline/comm.data/out
@@ -0,0 +1,99 @@
+Comm::BOOL
+Comm::INT
+Comm::COUNT
+Comm::DOUBLE
+Comm::STRING
+Comm::ADDR
+Comm::SUBNET
+Comm::PORT
+Comm::TIME
+Comm::INTERVAL
+Comm::ENUM
+Comm::SET
+Comm::TABLE
+Comm::VECTOR
+Comm::RECORD
+***************************
+T
+F
+1
+0
+-1
+1
+0
+1.1
+-11.1
+hello
+1.2.3.4
+192.168.0.0/16
+22/tcp
+42.0
+180.0
+Comm::BOOL
+***************************
+{
+two,
+one,
+three
+}
+0
+T
+1
+T
+F
+T
+2
+T
+1
+F
+{
+bye
+}
+0
+***************************
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+0
+[d=<uninitialized>]
+1
+T
+42
+F
+[d=<uninitialized>]
+2
+[d=broker::data{7}]
+2
+37
+[d=broker::data{42}]
+1
+***************************
+[zero, one, two]
+0
+T
+T
+T
+T
+[hi, salutations, hello, greetings]
+4
+[d=broker::data{hello}]
+[d=broker::data{bah}]
+[d=broker::data{hi}]
+[hi, salutations, bah, greetings]
+[d=broker::data{bah}]
+[hi, salutations, greetings]
+3
+***************************
+[a=<uninitialized>, b=bee, c=1]
+[a=test, b=bee, c=1]
+[a=test, b=testagain, c=1]
+3
+T
+T
+T
+[d=broker::data{hi}]
+[d=broker::data{hello}]
+[d=broker::data{37}]
+3
diff --git a/testing/btest/comm/data.bro b/testing/btest/comm/data.bro
new file mode 100644
index 0000000000..3fb9dcd86e
--- /dev/null
+++ b/testing/btest/comm/data.bro
@@ -0,0 +1,219 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+type bro_set: set[string];
+type bro_table: table[string] of count;
+type bro_vector: vector of string;
+
+type bro_record : record {
+	a: string &optional;
+	b: string &default = "bee";
+	c: count;
+};
+
+function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator,
+                                           rval: bro_record,
+                                           idx: count): bro_record
+	{
+	if ( Comm::record_iterator_last(it) )
+		return rval;
+
+	local field_value = Comm::record_iterator_value(it);
+
+	if ( field_value?$d )
+		switch ( idx ) {
+		case 0:
+			rval$a = Comm::refine_to_string(field_value);
+			break;
+		case 1:
+			rval$b = Comm::refine_to_string(field_value);
+			break;
+		case 2:
+			rval$c = Comm::refine_to_count(field_value);
+			break;
+		};
+
+	++idx;
+	Comm::record_iterator_next(it);
+	return comm_record_to_bro_record_recurse(it, rval, idx);
+	}
+
+function comm_record_to_bro_record(d: Comm::Data): bro_record
+	{
+	return comm_record_to_bro_record_recurse(Comm::record_iterator(d),
+	                                         bro_record($c = 0), 0);
+	}
+
+function
+comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator,
+                            rval: bro_set): bro_set
+	{
+	if ( Comm::set_iterator_last(it) )
+		return rval;
+
+	add rval[Comm::refine_to_string(Comm::set_iterator_value(it))];
+	Comm::set_iterator_next(it);
+	return comm_set_to_bro_set_recurse(it, rval);
+	}
+
+
+function comm_set_to_bro_set(d: Comm::Data): bro_set
+	{
+	return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set());
+	}
+
+function
+comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator,
+                                rval: bro_table): bro_table
+	{
+	if ( Comm::table_iterator_last(it) )
+		return rval;
+
+	local item = Comm::table_iterator_value(it);
+	rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val);
+	Comm::table_iterator_next(it);
+	return comm_table_to_bro_table_recurse(it, rval);
+	}
+
+function comm_table_to_bro_table(d: Comm::Data): bro_table
+	{
+	return comm_table_to_bro_table_recurse(Comm::table_iterator(d),
+	                                       bro_table());
+	}
+
+function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator,
+                                           rval: bro_vector): bro_vector
+	{
+	if ( Comm::vector_iterator_last(it) )
+		return rval;
+
+	rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it));
+	Comm::vector_iterator_next(it);
+	return comm_vector_to_bro_vector_recurse(it, rval);
+	}
+
+function comm_vector_to_bro_vector(d: Comm::Data): bro_vector
+	{
+	return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d),
+	                                         bro_vector());
+	}
+
+event bro_init()
+{
+print Comm::data_type(Comm::data(T));
+print Comm::data_type(Comm::data(+1));
+print Comm::data_type(Comm::data(1));
+print Comm::data_type(Comm::data(1.1));
+print Comm::data_type(Comm::data("1 (how creative)"));
+print Comm::data_type(Comm::data(1.1.1.1));
+print Comm::data_type(Comm::data(1.1.1.1/1));
+print Comm::data_type(Comm::data(1/udp));
+print Comm::data_type(Comm::data(double_to_time(1)));
+print Comm::data_type(Comm::data(1sec));
+print Comm::data_type(Comm::data(Comm::BOOL));
+local s: bro_set = bro_set("one", "two", "three");
+local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
+local v: bro_vector = bro_vector("zero", "one", "two");
+local r: bro_record = bro_record($c = 1);
+print Comm::data_type(Comm::data(s));
+print Comm::data_type(Comm::data(t));
+print Comm::data_type(Comm::data(v));
+print Comm::data_type(Comm::data(r));
+
+print "***************************";
+
+print Comm::refine_to_bool(Comm::data(T));
+print Comm::refine_to_bool(Comm::data(F));
+print Comm::refine_to_int(Comm::data(+1));
+print Comm::refine_to_int(Comm::data(+0));
+print Comm::refine_to_int(Comm::data(-1));
+print Comm::refine_to_count(Comm::data(1));
+print Comm::refine_to_count(Comm::data(0));
+print Comm::refine_to_double(Comm::data(1.1));
+print Comm::refine_to_double(Comm::data(-11.1));
+print Comm::refine_to_string(Comm::data("hello"));
+print Comm::refine_to_addr(Comm::data(1.2.3.4));
+print Comm::refine_to_subnet(Comm::data(192.168.1.1/16));
+print Comm::refine_to_port(Comm::data(22/tcp));
+print Comm::refine_to_time(Comm::data(double_to_time(42)));
+print Comm::refine_to_interval(Comm::data(3min));
+print Comm::refine_to_enum_name(Comm::data(Comm::BOOL));
+
+print "***************************";
+
+local cs = Comm::data(s);
+print comm_set_to_bro_set(cs);
+cs = Comm::set_create();
+print Comm::set_size(cs);
+print Comm::set_insert(cs, Comm::data("hi"));
+print Comm::set_size(cs);
+print Comm::set_contains(cs, Comm::data("hi"));
+print Comm::set_contains(cs, Comm::data("bye"));
+print Comm::set_insert(cs, Comm::data("bye"));
+print Comm::set_size(cs);
+print Comm::set_remove(cs, Comm::data("hi"));
+print Comm::set_size(cs);
+print Comm::set_remove(cs, Comm::data("hi"));
+print comm_set_to_bro_set(cs);
+Comm::set_clear(cs);
+print Comm::set_size(cs);
+
+print "***************************";
+
+local ct = Comm::data(t);
+print comm_table_to_bro_table(ct);
+ct = Comm::table_create();
+print Comm::table_size(ct);
+print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42));
+print Comm::table_size(ct);
+print Comm::table_contains(ct, Comm::data("hi"));
+print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi")));
+print Comm::table_contains(ct, Comm::data("bye"));
+print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7));
+print Comm::table_size(ct);
+print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37));
+print Comm::table_size(ct);
+print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye")));
+print Comm::table_remove(ct, Comm::data("hi"));
+print Comm::table_size(ct);
+
+print "***************************";
+
+local cv = Comm::data(v);
+print comm_vector_to_bro_vector(cv);
+cv = Comm::vector_create();
+print Comm::vector_size(cv);
+print Comm::vector_insert(cv, Comm::data("hi"), 0);
+print Comm::vector_insert(cv, Comm::data("hello"), 1);
+print Comm::vector_insert(cv, Comm::data("greetings"), 2);
+print Comm::vector_insert(cv, Comm::data("salutations"), 1);
+print comm_vector_to_bro_vector(cv);
+print Comm::vector_size(cv);
+print Comm::vector_replace(cv, Comm::data("bah"), 2);
+print Comm::vector_lookup(cv, 2);
+print Comm::vector_lookup(cv, 0);
+print comm_vector_to_bro_vector(cv);
+print Comm::vector_remove(cv, 2);
+print comm_vector_to_bro_vector(cv);
+print Comm::vector_size(cv);
+
+print "***************************";
+
+local cr = Comm::data(r);
+print comm_record_to_bro_record(cr);
+r$a = "test";
+cr = Comm::data(r);
+print comm_record_to_bro_record(cr);
+r$b = "testagain";
+cr = Comm::data(r);
+print comm_record_to_bro_record(cr);
+cr = Comm::record_create(3);
+print Comm::record_size(cr);
+print Comm::record_assign(cr, Comm::data("hi"), 0);
+print Comm::record_assign(cr, Comm::data("hello"), 1);
+print Comm::record_assign(cr, Comm::data(37), 2);
+print Comm::record_lookup(cr, 0);
+print Comm::record_lookup(cr, 1);
+print Comm::record_lookup(cr, 2);
+print Comm::record_size(cr);
+}

From 9875f5d3eba7e19506c6b2970d8c8ea444927007 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 30 Jan 2015 14:39:16 -0600
Subject: [PATCH 021/109] broker integration: add distributed data store api

But haven't done the full gamut of testing on it yet.
---
 scripts/base/frameworks/comm/main.bro |  38 ++-
 src/Trigger.cc                        |  12 +-
 src/Trigger.h                         |   5 +
 src/comm/CMakeLists.txt               |  10 +-
 src/comm/Data.cc                      |   2 +-
 src/comm/Manager.cc                   | 145 +++++++++-
 src/comm/Manager.h                    |  17 ++
 src/comm/Store.cc                     | 141 ++++++++++
 src/comm/Store.h                      | 113 ++++++++
 src/comm/{comm.bif => data.bif}       | 151 +---------
 src/comm/messaging.bif                | 156 +++++++++++
 src/comm/store.bif                    | 378 ++++++++++++++++++++++++++
 12 files changed, 1012 insertions(+), 156 deletions(-)
 create mode 100644 src/comm/Store.cc
 create mode 100644 src/comm/Store.h
 rename src/comm/{comm.bif => data.bif} (76%)
 create mode 100644 src/comm/messaging.bif
 create mode 100644 src/comm/store.bif

diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index 974e5e43af..a2cd1f6ac0 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -15,9 +15,11 @@ export {
 		d: opaque of Comm::Data &optional;
 	};
 
+	type DataVector: vector of Comm::Data;
+
 	type EventArgs: record {
 		name: string &optional;  # nil for invalid event/args.
-		args: vector of Comm::Data;
+		args: DataVector;
 	};
 
 	type Comm::TableItem : record {
@@ -25,3 +27,37 @@ export {
 		val: Comm::Data;
 	};
 }
+
+module Store;
+
+export {
+
+	type QueryStatus: enum {
+		SUCCESS,
+		FAILURE,
+	};
+
+	type ExpiryTime: record {
+		absolute: time &optional;
+		since_last_modification: interval &optional;
+	};
+
+	type QueryResult: record {
+		status: Store::QueryStatus;
+		result: Comm::Data;
+	};
+
+	type SQLiteOptions: record {
+		path: string &default = "store.sqlite";
+	};
+
+	type RocksDBOptions: record {
+		path: string &default = "store.rocksdb";
+		use_merge_operator: bool &default = F;
+	};
+
+	type BackendOptions: record {
+		sqlite: SQLiteOptions &default = SQLiteOptions();
+		rocksdb: RocksDBOptions &default = RocksDBOptions();
+	};
+}
diff --git a/src/Trigger.cc b/src/Trigger.cc
index 099027f4e0..772a991791 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -112,6 +112,7 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 	attached = 0;
 	is_return = arg_is_return;
 	location = arg_location;
+	timeout_value = -1;
 
 	++total_triggers;
 
@@ -133,17 +134,22 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 
 	Val* timeout_val = arg_timeout ? arg_timeout->Eval(arg_frame) : 0;
 
+	if ( timeout_val )
+		{
+		Unref(timeout_val);
+		timeout_value = timeout_val->AsInterval();
+		}
+
 	// Make sure we don't get deleted if somebody calls a method like
 	// Timeout() while evaluating the trigger. 
 	Ref(this);
 
-	if ( ! Eval() && timeout_val )
+	if ( ! Eval() && timeout_value >= 0 )
 		{
-		timer = new TriggerTimer(timeout_val->AsInterval(), this);
+		timer = new TriggerTimer(timeout_value, this);
 		timer_mgr->Add(timer);
 		}
 
-	Unref(timeout_val);
 	Unref(this);
 	}
 
diff --git a/src/Trigger.h b/src/Trigger.h
index b752ea8ada..7662901dc5 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -32,6 +32,10 @@ public:
 	// Executes timeout code and deletes the object.
 	void Timeout();
 
+	// Return the timeout interval (negative if none was specified).
+	double TimeoutValue() const
+		{ return timeout_value; }
+
 	// Called if another entity needs to complete its operations first
 	// in any case before this trigger can proceed.
 	void Hold()	{ delayed = true; }
@@ -87,6 +91,7 @@ private:
 	Stmt* body;
 	Stmt* timeout_stmts;
 	Expr* timeout;
+	double timeout_value;
 	Frame* frame;
 	bool is_return;
 	const Location* location;
diff --git a/src/comm/CMakeLists.txt b/src/comm/CMakeLists.txt
index 95ad701d71..da726e54d6 100644
--- a/src/comm/CMakeLists.txt
+++ b/src/comm/CMakeLists.txt
@@ -5,12 +5,20 @@ include_directories(BEFORE
                     ${CMAKE_CURRENT_BINARY_DIR}
 )
 
+if ( ROCKSDB_INCLUDE_DIR )
+    add_definitions(-DHAVE_ROCKSDB)
+    include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
+endif ()
+
 set(comm_SRCS
     Data.cc
     Manager.cc
+    Store.cc
 )
 
-bif_target(comm.bif)
+bif_target(data.bif)
+bif_target(messaging.bif)
+bif_target(store.bif)
 
 bro_add_subdir_library(comm ${comm_SRCS} ${BIF_OUTPUT_CC})
 add_dependencies(bro_comm generate_outputs)
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index f32bedd885..3b1a240988 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -1,5 +1,5 @@
 #include "Data.h"
-#include "comm/comm.bif.h"
+#include "comm/data.bif.h"
 
 using namespace std;
 
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index e64c74c377..9f17878cf6 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -1,12 +1,15 @@
 #include "Manager.h"
 #include "Data.h"
+#include "Store.h"
 #include <broker/broker.hh>
 #include <cstdio>
 #include <unistd.h>
 #include "util.h"
 #include "Var.h"
 #include "Reporter.h"
-#include "comm/comm.bif.h"
+#include "comm/data.bif.h"
+#include "comm/messaging.bif.h"
+#include "comm/store.bif.h"
 #include "logging/Manager.h"
 
 using namespace std;
@@ -17,6 +20,12 @@ int comm::Manager::send_flags_self_idx;
 int comm::Manager::send_flags_peers_idx;
 int comm::Manager::send_flags_unsolicited_idx;
 
+comm::Manager::~Manager()
+	{
+	for ( auto& s : data_stores )
+		CloseStore(s.first);
+	}
+
 bool comm::Manager::InitPreScript()
 	{
 	return true;
@@ -47,6 +56,7 @@ bool comm::Manager::InitPostScript()
 	comm::opaque_of_table_iterator = new OpaqueType("Comm::TableIterator");
 	comm::opaque_of_vector_iterator = new OpaqueType("Comm::VectorIterator");
 	comm::opaque_of_record_iterator = new OpaqueType("Comm::RecordIterator");
+	comm::opaque_of_store_handle = new OpaqueType("Store::Handle");
 	vector_of_data_type = new VectorType(internal_type("Comm::Data")->Ref());
 
 	auto res = broker::init();
@@ -385,6 +395,9 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 
 	for ( const auto& ps : log_subscriptions )
 		read->Insert(ps.second.fd());
+
+	for ( const auto& s : data_stores )
+		read->Insert(s.second->store->responses().fd());
 	}
 
 double comm::Manager::NextTimestamp(double* local_network_time)
@@ -393,6 +406,49 @@ double comm::Manager::NextTimestamp(double* local_network_time)
 	return timer_mgr->Time();
 	}
 
+struct response_converter {
+	using result_type = RecordVal*;
+
+	result_type operator()(bool d)
+		{
+		return comm::make_data_val(broker::data{d});
+		}
+
+	result_type operator()(uint64_t d)
+		{
+		return comm::make_data_val(broker::data{d});
+		}
+
+	result_type operator()(broker::data& d)
+		{
+		return comm::make_data_val(move(d));
+		}
+
+	result_type operator()(std::vector<broker::data>& d)
+		{
+		return comm::make_data_val(broker::data{move(d)});
+		}
+
+	result_type operator()(broker::store::snapshot& d)
+		{
+		broker::table table;
+
+		for ( auto& item : d.entries )
+			{
+			auto& key = item.first;
+			auto& val = item.second.item;
+			table[move(key)] = move(val);
+			}
+
+		return comm::make_data_val(broker::data{move(table)});
+		}
+};
+
+static RecordVal* response_to_val(broker::store::response r)
+	{
+	return broker::visit(response_converter{}, r.reply.value);
+	}
+
 void comm::Manager::Process()
 	{
 	bool idle = true;
@@ -624,5 +680,92 @@ void comm::Manager::Process()
 			}
 		}
 
+	for ( const auto& s : data_stores )
+		{
+		auto responses = s.second->store->responses().want_pop();
+
+		if ( responses.empty() )
+			continue;
+
+		idle = false;
+
+		for ( auto& response : responses )
+			{
+			auto ck = static_cast<StoreQueryCallback*>(response.cookie);
+			auto it = pending_queries.find(ck);
+
+			if ( it == pending_queries.end() )
+				{
+				reporter->Warning("unmatched response to query on store %s",
+				                  s.second->store->id().data());
+				continue;
+				}
+
+			auto query = *it;
+
+			switch ( response.reply.stat ) {
+			case broker::store::result::status::timeout:
+				// Fine, trigger's timeout takes care of things.
+				break;
+			case broker::store::result::status::failure:
+				query->Result(query_result());
+				break;
+			case broker::store::result::status::success:
+				query->Result(query_result(response_to_val(move(response))));
+				break;
+			default:
+				reporter->InternalWarning("unknown store response status: %d",
+				                         static_cast<int>(response.reply.stat));
+				break;
+			}
+
+			pending_queries.erase(it);
+			}
+		}
+
 	SetIdle(idle);
 	}
+
+bool comm::Manager::AddStore(StoreHandleVal* handle)
+	{
+	if ( ! handle->store )
+		return false;
+
+	if ( data_stores.find(handle->store->id()) != data_stores.end() )
+		return false;
+
+	data_stores[handle->store->id()] = handle;
+	Ref(handle);
+	return true;
+	}
+
+bool comm::Manager::CloseStore(const broker::store::identifier& id)
+	{
+	auto it = data_stores.find(id);
+
+	if ( it == data_stores.end() )
+		return false;
+
+	for ( auto it = pending_queries.begin(); it != pending_queries.end(); )
+		{
+		auto query = *it;
+
+		if ( query->StoreID() == id )
+			{
+			it = pending_queries.erase(it);
+			query->Abort();
+			delete query;
+			}
+		else
+			++it;
+		}
+
+	it->second->store = nullptr;
+	Unref(it->second);
+	return true;
+	}
+
+bool comm::Manager::TrackStoreQuery(StoreQueryCallback* cb)
+	{
+	return pending_queries.insert(cb).second;
+	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 44f5eb0f2b..c9cc2c8464 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -6,6 +6,8 @@
 #include <memory>
 #include <string>
 #include <map>
+#include <unordered_set>
+#include "comm/Store.h"
 #include "Reporter.h"
 #include "iosource/IOSource.h"
 #include "Val.h"
@@ -17,8 +19,11 @@ namespace comm {
 // Manages various forms of communication between peer Bro processes
 // or possibly between different parts of a single Bro process.
 class Manager : public iosource::IOSource {
+friend class StoreHandleVal;
 public:
 
+	~Manager();
+
 	bool InitPreScript();
 
 	bool InitPostScript();
@@ -56,6 +61,12 @@ public:
 
 	bool UnsubscribeToLogs(const std::string& topic_prefix);
 
+	bool AddStore(StoreHandleVal* handle);
+
+	bool CloseStore(const broker::store::identifier& id);
+
+	bool TrackStoreQuery(StoreQueryCallback* cb);
+
 	static int GetFlags(Val* flags);
 
 private:
@@ -71,12 +82,18 @@ private:
 	const char* Tag() override
 		{ return "Comm::Manager"; }
 
+	broker::endpoint& Endpoint()
+		{ return *endpoint; }
+
 	std::unique_ptr<broker::endpoint> endpoint;
 	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
 	std::map<std::string, broker::message_queue> print_subscriptions;
 	std::map<std::string, broker::message_queue> event_subscriptions;
 	std::map<std::string, broker::message_queue> log_subscriptions;
 
+	std::map<broker::store::identifier, StoreHandleVal*> data_stores;
+	std::unordered_set<StoreQueryCallback*> pending_queries;
+
 	static VectorType* vector_of_data_type;
 	static EnumType* log_id_type;
 	static int send_flags_self_idx;
diff --git a/src/comm/Store.cc b/src/comm/Store.cc
new file mode 100644
index 0000000000..0d94795ce8
--- /dev/null
+++ b/src/comm/Store.cc
@@ -0,0 +1,141 @@
+#include "Store.h"
+#include "comm/Manager.h"
+
+#include <broker/store/master.hh>
+#include <broker/store/clone.hh>
+#include <broker/store/sqlite_backend.hh>
+
+#ifdef HAVE_ROCKSDB
+#include <broker/store/rocksdb_backend.hh>
+#include <rocksdb/db.h>
+#endif
+
+OpaqueType* comm::opaque_of_store_handle;
+
+comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
+                                     comm::StoreType arg_type,
+                                     broker::util::optional<BifEnum::Store::BackendType> arg_back,
+                                     RecordVal* backend_options, std::chrono::duration<double> resync)
+    : OpaqueVal(opaque_of_store_handle),
+      store(), store_type(arg_type), backend_type(arg_back)
+	{
+	using BifEnum::Store::BackendType;
+	std::unique_ptr<broker::store::backend> backend;
+
+	if ( backend_type )
+		switch ( *backend_type ) {
+		case BackendType::MEMORY:
+			backend.reset(new broker::store::memory_backend);
+			break;
+		case BackendType::SQLITE:
+			{
+			auto sqlite = new broker::store::sqlite_backend;
+			std::string path = backend_options->Lookup(0)->AsRecordVal()
+			                   ->Lookup(0)->AsStringVal()->CheckString();
+
+			if ( sqlite->open(path) )
+				backend.reset(sqlite);
+			else
+				{
+				reporter->Error("failed to open sqlite backend at path %s: %s",
+				                path.data(), sqlite->last_error().data());
+				delete sqlite;
+				}
+			}
+			break;
+		case BackendType::ROCKSDB:
+			{
+#ifdef HAVE_ROCKSDB
+			std::string path = backend_options->Lookup(1)->AsRecordVal()
+			                   ->Lookup(0)->AsStringVal()->CheckString();
+			bool use_merge_op = backend_options->Lookup(1)->AsRecordVal()
+			                    ->Lookup(1)->AsBool();
+			rocksdb::Options rock_op;
+			rock_op.create_if_missing = true;
+
+			if ( use_merge_op )
+				options.merge_operator.reset(new rocksdb_merge_operator);
+
+			auto rocksdb = new broker::store::rocksdb_backend;
+
+			if ( rocksdb->open(path, options).ok() )
+				backend.reset(rocksdb);
+			else
+				{
+				reporter->Error("failed to open rocksdb backend at path %s: %s",
+				                path.data(), rocksdb->last_error().data());
+				delete rocksdb;
+				}
+#else
+			reporter->Error("rocksdb backend support is not enabled");
+#endif
+			}
+			break;
+		default:
+			reporter->FatalError("unknown data store backend: %d",
+			                     static_cast<int>(*backend_type));
+			}
+
+	switch ( store_type ) {
+	case StoreType::FRONTEND:
+		store.reset(new broker::store::frontend(comm_mgr->Endpoint(),
+		                                        move(id)));
+		break;
+	case StoreType::MASTER:
+		store.reset(new broker::store::master(comm_mgr->Endpoint(),
+		                                      move(id), move(backend)));
+		break;
+	case StoreType::CLONE:
+		store.reset(new broker::store::clone(comm_mgr->Endpoint(),
+		                                     move(id), resync,
+		                                     move(backend)));
+		break;
+	default:
+		reporter->FatalError("unknown data store type: %d",
+		                     static_cast<int>(store_type));
+		}
+	}
+
+void comm::StoreHandleVal::ValDescribe(ODesc* d) const
+	{
+	using BifEnum::Store::BackendType;
+	d->Add("broker::store::");
+
+	switch ( store_type ) {
+	case StoreType::FRONTEND:
+		d->Add("frontend");
+		break;
+	case StoreType::MASTER:
+		d->Add("master");
+		break;
+	case StoreType::CLONE:
+		d->Add("clone");
+		break;
+	default:
+		d->Add("unknown");
+		}
+
+	d->Add("{");
+	d->Add(store->id());
+
+	if ( backend_type )
+		{
+		d->Add(", ");
+
+		switch ( *backend_type ) {
+		case BackendType::MEMORY:
+			d->Add("memory");
+			break;
+		case BackendType::SQLITE:
+			d->Add("sqlite");
+			break;
+		case BackendType::ROCKSDB:
+			d->Add("rocksdb");
+			break;
+		default:
+			d->Add("unknown");
+			}
+		}
+
+	d->Add("}");
+	}
diff --git a/src/comm/Store.h b/src/comm/Store.h
new file mode 100644
index 0000000000..b3a8ccb339
--- /dev/null
+++ b/src/comm/Store.h
@@ -0,0 +1,113 @@
+#ifndef BRO_COMM_STORE_H
+#define BRO_COMM_STORE_H
+
+#include "comm/store.bif.h"
+#include "comm/data.bif.h"
+#include "Reporter.h"
+#include "Type.h"
+#include "Val.h"
+#include "Trigger.h"
+
+#include <broker/store/frontend.hh>
+
+namespace comm {
+
+extern OpaqueType* opaque_of_store_handle;
+
+enum StoreType {
+    FRONTEND,
+    MASTER,
+    CLONE,
+};
+
+inline EnumVal* query_status(bool success)
+	{
+	static EnumType* store_query_status = nullptr;
+	static int success_val;
+	static int failure_val;
+
+	if ( ! store_query_status )
+		{
+		store_query_status = internal_type("Store::QueryStatus")->AsEnumType();
+		success_val = store_query_status->Lookup("Store", "SUCCESS");
+		failure_val = store_query_status->Lookup("Store", "FAILURE");
+		}
+
+	return new EnumVal(success ? success_val : failure_val, store_query_status);
+	}
+
+inline RecordVal* query_result()
+	{
+	auto rval = new RecordVal(BifType::Record::Store::QueryResult);
+	rval->Assign(0, query_status(false));
+	rval->Assign(1, new RecordVal(BifType::Record::Comm::Data));
+	return rval;
+	}
+
+inline RecordVal* query_result(RecordVal* data)
+	{
+	auto rval = new RecordVal(BifType::Record::Store::QueryResult);
+	rval->Assign(0, query_status(true));
+	rval->Assign(1, data);
+	return rval;
+	}
+
+class StoreQueryCallback {
+public:
+
+	StoreQueryCallback(Trigger* arg_trigger, const CallExpr* arg_call,
+					   broker::store::identifier arg_store_id)
+		: trigger(arg_trigger), call(arg_call), store_id(move(arg_store_id))
+		{
+		Ref(trigger);
+		}
+
+	~StoreQueryCallback()
+		{
+		Unref(trigger);
+		}
+
+	void Result(RecordVal* result)
+		{
+		trigger->Cache(call, result);
+		trigger->Release();
+		Unref(result);
+		}
+
+	void Abort()
+		{
+		auto result = query_result();
+		trigger->Cache(call, result);
+		trigger->Release();
+		Unref(result);
+		}
+
+	const broker::store::identifier& StoreID() const
+		{ return store_id; }
+
+private:
+
+	Trigger* trigger;
+	const CallExpr* call;
+	broker::store::identifier store_id;
+};
+
+class StoreHandleVal : public OpaqueVal {
+public:
+
+    StoreHandleVal(broker::store::identifier id,
+                   comm::StoreType arg_type,
+                   broker::util::optional<BifEnum::Store::BackendType> arg_back,
+                   RecordVal* backend_options,
+                   std::chrono::duration<double> resync = std::chrono::seconds(1));
+
+    void ValDescribe(ODesc* d) const override;
+
+	std::unique_ptr<broker::store::frontend> store;
+	comm::StoreType store_type;
+	broker::util::optional<BifEnum::Store::BackendType> backend_type;
+};
+
+} // namespace comm
+
+#endif // BRO_COMM_STORE_H
diff --git a/src/comm/comm.bif b/src/comm/data.bif
similarity index 76%
rename from src/comm/comm.bif
rename to src/comm/data.bif
index b2ce0fb415..2a78a9229a 100644
--- a/src/comm/comm.bif
+++ b/src/comm/data.bif
@@ -1,8 +1,8 @@
 
+##! Functions for inspecting and manipulating broker data.
+
 %%{
-#include "comm/Manager.h"
 #include "comm/Data.h"
-#include "logging/Manager.h"
 %%}
 
 module Comm;
@@ -25,12 +25,8 @@ enum DataType %{
 	RECORD,
 %}
 
-type Comm::SendFlags: record;
-
 type Comm::Data: record;
 
-type Comm::EventArgs: record;
-
 type Comm::TableItem: record;
 
 function Comm::data%(d: any%): Comm::Data
@@ -507,146 +503,3 @@ function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm
 	rval->Assign(0, new comm::DataVal(**ri->it));
 	return rval;
 	%}
-
-event Comm::remote_connection_established%(peer_address: string,
-                                           peer_port: port,
-                                           peer_name: string%);
-
-event Comm::remote_connection_broken%(peer_address: string,
-                                      peer_port: port%);
-
-event Comm::remote_connection_incompatible%(peer_address: string,
-                                            peer_port: port%);
-
-function Comm::listen%(p: port, a: string &default = "",
-					   reuse: bool &default = T%): bool
-	%{
-	if ( ! p->IsTCP() )
-		{
-		reporter->Error("listen port must use tcp");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
-								 reuse);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::connect%(a: string, p: port, retry: interval%): bool
-	%{
-	if ( ! p->IsTCP() )
-		{
-		reporter->Error("remote connection port must use tcp");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	auto rval = comm_mgr->Connect(a->CheckString(), p->Port(),
-	                              std::chrono::duration<double>(retry));
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::disconnect%(a: string, p: port%): bool
-	%{
-	if ( ! p->IsTCP() )
-		{
-		reporter->Error("remote connection port must use tcp");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-event Comm::print_handler%(msg: string%);
-
-function Comm::print%(topic: string, msg: string,
-                      flags: SendFlags &default = SendFlags()%): bool
-	%{
-	auto rval = comm_mgr->Print(topic->CheckString(), msg->CheckString(),
-	                            flags);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::subscribe_to_prints%(topic_prefix: string%): bool
-	%{
-	auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::unsubscribe_to_prints%(topic_prefix: string%): bool
-	%{
-	auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::event_args%(...%): Comm::EventArgs
-	%{
-	auto rval = comm_mgr->MakeEventArgs(@ARGS@);
-	return rval;
-	%}
-
-function Comm::event%(topic: string, args: Comm::EventArgs,
-                      flags: SendFlags &default = SendFlags()%): bool
-	%{
-	auto rval = comm_mgr->Event(topic->CheckString(), args->AsRecordVal(),
-	                            flags);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::auto_event%(topic: string, ev: any,
-                           flags: SendFlags &default = SendFlags()%): bool
-	%{
-	auto rval = comm_mgr->AutoEvent(topic->CheckString(), ev, flags);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::auto_event_stop%(topic: string, ev: any%): bool
-	%{
-	auto rval = comm_mgr->AutoEventStop(topic->CheckString(), ev);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::subscribe_to_events%(topic_prefix: string%): bool
-	%{
-	auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
-	%{
-	auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function
-Comm::enable_remote_logs%(id: Log::ID,
-                          flags: SendFlags &default = SendFlags()%): bool
-	%{
-	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
-										  comm::Manager::GetFlags(flags));
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::disable_remote_logs%(id: Log::ID%): bool
-	%{
-	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::remote_logs_enabled%(id: Log::ID%): bool
-	%{
-	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::subscribe_to_logs%(topic_prefix: string%): bool
-	%{
-	auto rval = comm_mgr->SubscribeToLogs(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::unsubscribe_to_logs%(topic_prefix: string%): bool
-	%{
-	auto rval = comm_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
diff --git a/src/comm/messaging.bif b/src/comm/messaging.bif
new file mode 100644
index 0000000000..f5034f842f
--- /dev/null
+++ b/src/comm/messaging.bif
@@ -0,0 +1,156 @@
+
+##! Functions for peering and various messaging patterns (e.g. print/log/event).
+
+%%{
+#include "comm/Manager.h"
+#include "logging/Manager.h"
+%%}
+
+module Comm;
+
+type Comm::SendFlags: record;
+
+type Comm::EventArgs: record;
+
+event Comm::remote_connection_established%(peer_address: string,
+                                           peer_port: port,
+                                           peer_name: string%);
+
+event Comm::remote_connection_broken%(peer_address: string,
+                                      peer_port: port%);
+
+event Comm::remote_connection_incompatible%(peer_address: string,
+                                            peer_port: port%);
+
+function Comm::listen%(p: port, a: string &default = "",
+					   reuse: bool &default = T%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("listen port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
+								 reuse);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::connect%(a: string, p: port, retry: interval%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("remote connection port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Connect(a->CheckString(), p->Port(),
+	                              std::chrono::duration<double>(retry));
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::disconnect%(a: string, p: port%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("remote connection port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+event Comm::print_handler%(msg: string%);
+
+function Comm::print%(topic: string, msg: string,
+                      flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = comm_mgr->Print(topic->CheckString(), msg->CheckString(),
+	                            flags);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::subscribe_to_prints%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::unsubscribe_to_prints%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::event_args%(...%): Comm::EventArgs
+	%{
+	auto rval = comm_mgr->MakeEventArgs(@ARGS@);
+	return rval;
+	%}
+
+function Comm::event%(topic: string, args: Comm::EventArgs,
+                      flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = comm_mgr->Event(topic->CheckString(), args->AsRecordVal(),
+	                            flags);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::auto_event%(topic: string, ev: any,
+                           flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = comm_mgr->AutoEvent(topic->CheckString(), ev, flags);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::auto_event_stop%(topic: string, ev: any%): bool
+	%{
+	auto rval = comm_mgr->AutoEventStop(topic->CheckString(), ev);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::subscribe_to_events%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function
+Comm::enable_remote_logs%(id: Log::ID,
+                          flags: SendFlags &default = SendFlags()%): bool
+	%{
+	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
+										  comm::Manager::GetFlags(flags));
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::disable_remote_logs%(id: Log::ID%): bool
+	%{
+	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::remote_logs_enabled%(id: Log::ID%): bool
+	%{
+	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::subscribe_to_logs%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->SubscribeToLogs(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::unsubscribe_to_logs%(topic_prefix: string%): bool
+	%{
+	auto rval = comm_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
+	return new Val(rval, TYPE_BOOL);
+	%}
diff --git a/src/comm/store.bif b/src/comm/store.bif
new file mode 100644
index 0000000000..fb4c8d57ce
--- /dev/null
+++ b/src/comm/store.bif
@@ -0,0 +1,378 @@
+
+##! Functions to interface with broker's distributed data store.
+
+%%{
+#include "comm/Manager.h"
+#include "comm/Store.h"
+#include "comm/Data.h"
+#include "Trigger.h"
+%%}
+
+module Store;
+
+type Store::ExpiryTime: record;
+
+type Store::QueryResult: record;
+
+type Store::BackendOptions: record;
+
+enum BackendType %{
+	MEMORY,
+	SQLITE,
+	ROCKSDB,
+%}
+
+function Store::create_master%(id: string, b: BackendType &default = MEMORY,
+                               options: BackendOptions &default = BackendOptions()%): opaque of Store::Handle
+	%{
+	auto rval = new comm::StoreHandleVal(id->CheckString(), comm::StoreType::MASTER,
+	                                     static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
+	                                     options->AsRecordVal());
+	comm_mgr->AddStore(rval);
+	return rval;
+	%}
+
+function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
+                              options: BackendOptions &default = BackendOptions(),
+                              resync: interval &default = 1sec%): opaque of Store::Handle
+	%{
+	auto rval = new comm::StoreHandleVal(id->CheckString(), comm::StoreType::CLONE,
+	                                     static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
+	                                     options->AsRecordVal(),
+	                                     std::chrono::duration<double>(resync));
+	comm_mgr->AddStore(rval);
+	return rval;
+	%}
+
+function Store::create_frontend%(id: string%): opaque of Store::Handle
+	%{
+	auto rval = new comm::StoreHandleVal(id->CheckString(), comm::StoreType::FRONTEND,
+	                                     {}, nullptr);
+	comm_mgr->AddStore(rval);
+	return rval;
+	%}
+
+function Store::close_by_name%(id: string%): bool
+	%{
+	return new Val(comm_mgr->CloseStore(id->CheckString()), TYPE_BOOL);
+	%}
+
+function Store::close_by_handle%(h: opaque of Store::Handle%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	return new Val(comm_mgr->CloseStore(handle->store->id()), TYPE_BOOL);
+	%}
+
+###########################
+# non-blocking update API #
+###########################
+
+function Store::insert%(h: opaque of Store::Handle,
+                        k: Comm::Data, v: Comm::Data,
+                        e: Store::ExpiryTime &default = Store::ExpiryTime()%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& val = comm::opaque_field_to_data(v->AsRecordVal(), frame);
+
+	broker::util::optional<broker::store::expiration_time> expiry;
+
+	auto abs_expiry_val = e->AsRecordVal()->Lookup(0);
+	auto rel_expiry_val = e->AsRecordVal()->Lookup(1);
+
+	if ( abs_expiry_val )
+		{
+		auto tag = broker::store::expiration_time::tag::absolute;
+		expiry = broker::store::expiration_time(abs_expiry_val->AsTime(), tag);
+		}
+	else if ( rel_expiry_val )
+		{
+		auto tag = broker::store::expiration_time::tag::since_last_modification;
+		expiry = broker::store::expiration_time(rel_expiry_val->AsInterval(), tag);
+		}
+
+	handle->store->insert(key, val, expiry);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	handle->store->erase(key);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::clear%(h: opaque of Store::Handle%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	handle->store->clear();
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::increment%(h: opaque of Store::Handle,
+                           k: Comm::Data, by: int%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	handle->store->increment(key, by);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::decrement%(h: opaque of Store::Handle,
+                           k: Comm::Data, by: int%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	handle->store->decrement(key, by);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::add_to_set%(h: opaque of Store::Handle,
+                            k: Comm::Data, element: Comm::Data%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& ele = comm::opaque_field_to_data(element->AsRecordVal(), frame);
+	handle->store->add_to_set(key, ele);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::remove_from_set%(h: opaque of Store::Handle,
+                                 k: Comm::Data, element: Comm::Data%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& ele = comm::opaque_field_to_data(element->AsRecordVal(), frame);
+	handle->store->remove_from_set(key, ele);
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data,
+                           items: Comm::DataVector%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	broker::vector items_vector;
+	auto items_vv = items->AsVector();
+
+	for ( auto i = 0u; i < items_vv->size(); ++i )
+		{
+		auto& item = comm::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
+		                                        frame);
+		items_vector.emplace_back(item);
+		}
+
+	handle->store->push_left(key, move(items_vector));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Store::push_right%(h: opaque of Store::Handle, k: Comm::Data,
+                            items: Comm::DataVector%): bool
+	%{
+	auto handle = static_cast<comm::StoreHandleVal*>(h);
+
+	if ( ! handle->store )
+		return new Val(false, TYPE_BOOL);
+
+	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	broker::vector items_vector;
+	auto items_vv = items->AsVector();
+
+	for ( auto i = 0u; i < items_vv->size(); ++i )
+		{
+		auto& item = comm::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
+		                                        frame);
+		items_vector.emplace_back(item);
+		}
+
+	handle->store->push_right(key, move(items_vector));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+##########################
+# non-blocking query API #
+##########################
+
+%%{
+static bool prepare_for_query(Val* opaque, Frame* frame,
+                              comm::StoreHandleVal** handle,
+                              double* timeout,
+                              comm::StoreQueryCallback** cb)
+    {
+    *handle = static_cast<comm::StoreHandleVal*>(opaque);
+
+    if ( ! (*handle)->store )
+        return false;
+
+    Trigger* trigger = frame->GetTrigger();
+
+    if ( ! trigger )
+        {
+        reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+        reporter->Error("Store queries can only be called inside when-condition");
+        reporter->PopLocation();
+        return false;
+        }
+
+    *timeout = trigger->TimeoutValue();
+
+    if ( *timeout < 0 )
+        {
+        reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+        reporter->Error("Store queries must specify a timeout block");
+        reporter->PopLocation();
+        return false;
+        }
+
+    frame->SetDelayed();
+    trigger->Hold();
+    *cb = new comm::StoreQueryCallback(trigger, frame->GetCall(),
+                                       (*handle)->store->id());
+    comm_mgr->TrackStoreQuery(*cb);
+    return true;
+    }
+
+%%}
+
+function Store::pop_left%(h: opaque of Store::Handle,
+                          k: Comm::Data%): Store::QueryResult
+	%{
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
+	Val* key = k->AsRecordVal()->Lookup(0);
+
+	if ( ! key )
+		return comm::query_result();
+
+	handle->store->pop_left(static_cast<comm::DataVal*>(key)->data,
+	                         std::chrono::duration<double>(timeout), cb);
+	return 0;
+	%}
+
+function Store::pop_right%(h: opaque of Store::Handle,
+                           k: Comm::Data%): Store::QueryResult
+	%{
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
+	Val* key = k->AsRecordVal()->Lookup(0);
+
+	if ( ! key )
+		return comm::query_result();
+
+	handle->store->pop_right(static_cast<comm::DataVal*>(key)->data,
+	                         std::chrono::duration<double>(timeout), cb);
+	return 0;
+	%}
+
+function Store::lookup%(h: opaque of Store::Handle,
+                       k: Comm::Data%): Store::QueryResult
+	%{
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
+	Val* key = k->AsRecordVal()->Lookup(0);
+
+	if ( ! key )
+		return comm::query_result();
+
+	handle->store->lookup(static_cast<comm::DataVal*>(key)->data,
+	                      std::chrono::duration<double>(timeout), cb);
+	return 0;
+	%}
+
+function Store::exists%(h: opaque of Store::Handle,
+                        k: Comm::Data%): Store::QueryResult
+	%{
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
+	Val* key = k->AsRecordVal()->Lookup(0);
+
+	if ( ! key )
+		return comm::query_result();
+
+	handle->store->exists(static_cast<comm::DataVal*>(key)->data,
+	                      std::chrono::duration<double>(timeout), cb);
+	return 0;
+	%}
+
+function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult
+	%{
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
+	handle->store->keys(std::chrono::duration<double>(timeout), cb);
+	return 0;
+	%}
+
+function Store::size%(h: opaque of Store::Handle%): Store::QueryResult
+	%{
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
+	handle->store->size(std::chrono::duration<double>(timeout), cb);
+	return 0;
+	%}

From 05a865a907d79b6617dcbb72da3d423636426b82 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 2 Feb 2015 14:56:28 -0600
Subject: [PATCH 022/109] broker integration: add master data store unti test

And fix bug w/ looking up nonexistent keys -- the resulting value data
should be "null" not "false".
---
 src/comm/Manager.cc                          |  14 +-
 src/comm/store.bif                           |   4 +-
 testing/btest/Baseline/comm.master_store/out |  14 ++
 testing/btest/comm/master_store.bro          | 141 +++++++++++++++++++
 4 files changed, 169 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/comm.master_store/out
 create mode 100644 testing/btest/comm/master_store.bro

diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 9f17878cf6..0b887d4f37 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -408,10 +408,20 @@ double comm::Manager::NextTimestamp(double* local_network_time)
 
 struct response_converter {
 	using result_type = RecordVal*;
+	broker::store::query::tag query_tag;
 
 	result_type operator()(bool d)
 		{
-		return comm::make_data_val(broker::data{d});
+		switch ( query_tag ) {
+		case broker::store::query::tag::pop_left:
+		case broker::store::query::tag::pop_right:
+		case broker::store::query::tag::lookup:
+			// A boolean result means the key doesn't exist (if it did, then
+			// the result would contain the broker::data value, not a bool).
+			return new RecordVal(BifType::Record::Comm::Data);
+		default:
+			return comm::make_data_val(broker::data{d});
+		}
 		}
 
 	result_type operator()(uint64_t d)
@@ -446,7 +456,7 @@ struct response_converter {
 
 static RecordVal* response_to_val(broker::store::response r)
 	{
-	return broker::visit(response_converter{}, r.reply.value);
+	return broker::visit(response_converter{r.request.type}, r.reply.value);
 	}
 
 void comm::Manager::Process()
diff --git a/src/comm/store.bif b/src/comm/store.bif
index fb4c8d57ce..176e55268e 100644
--- a/src/comm/store.bif
+++ b/src/comm/store.bif
@@ -127,7 +127,7 @@ function Store::clear%(h: opaque of Store::Handle%): bool
 	%}
 
 function Store::increment%(h: opaque of Store::Handle,
-                           k: Comm::Data, by: int%): bool
+                           k: Comm::Data, by: int &default = +1%): bool
 	%{
 	auto handle = static_cast<comm::StoreHandleVal*>(h);
 
@@ -140,7 +140,7 @@ function Store::increment%(h: opaque of Store::Handle,
 	%}
 
 function Store::decrement%(h: opaque of Store::Handle,
-                           k: Comm::Data, by: int%): bool
+                           k: Comm::Data, by: int &default = +1%): bool
 	%{
 	auto handle = static_cast<comm::StoreHandleVal*>(h);
 
diff --git a/testing/btest/Baseline/comm.master_store/out b/testing/btest/Baseline/comm.master_store/out
new file mode 100644
index 0000000000..defdc9a3e1
--- /dev/null
+++ b/testing/btest/Baseline/comm.master_store/out
@@ -0,0 +1,14 @@
+lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]]
+lookup(four): [status=Store::SUCCESS, result=[d=<uninitialized>]]
+lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]]
+lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]]
+exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]]
+exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]]
+exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]]
+pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]]
+pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]]
+keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
+size: [status=Store::SUCCESS, result=[d=broker::data{3}]]
+size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/comm/master_store.bro b/testing/btest/comm/master_store.bro
new file mode 100644
index 0000000000..84b4ee07a1
--- /dev/null
+++ b/testing/btest/comm/master_store.bro
@@ -0,0 +1,141 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
+
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global lookup_count = 0;
+const lookup_expect_count = 5;
+global exists_count = 0;
+const exists_expect_count = 4;
+global pop_count = 0;
+const pop_expect_count = 2;
+
+global test_size: event(where: string &default = "");
+
+event test_clear()
+	{
+	Store::clear(h);
+	event test_size("after clear");
+	}
+
+event test_size(where: string)
+	{
+	when ( local res = Store::size(h) )
+		{
+		if ( where == "" )
+			{
+			print fmt("size: %s", res);
+			event test_clear();
+			}
+		else
+			{
+			print fmt("size (%s): %s", where, res);
+			terminate();
+			}
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event test_keys()
+	{
+	when ( local res = Store::keys(h) )
+		{
+		print fmt("keys: %s", res);
+		event test_size();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event test_pop(key: string)
+	{
+	when ( local lres = Store::pop_left(h, Comm::data(key)) )
+		{
+		print fmt("pop_left(%s): %s", key, lres);
+		++pop_count;
+
+		if ( pop_count == pop_expect_count )
+			event test_keys();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+
+	when ( local rres = Store::pop_right(h, Comm::data(key)) )
+		{
+		print fmt("pop_right(%s): %s", key, rres);
+		++pop_count;
+
+		if ( pop_count == pop_expect_count )
+			event test_keys();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+function do_exists(key: string)
+	{
+	when ( local res = Store::exists(h, Comm::data(key)) )
+		{
+		print fmt("exists(%s): %s", key, res);
+		++exists_count;
+
+		if ( exists_count == exists_expect_count )
+			event test_pop("myvec");
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event test_erase()
+	{
+	Store::erase(h, Comm::data("two"));
+	do_exists("one");
+	do_exists("two");
+	do_exists("myset");
+	do_exists("four");
+	}
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		print fmt("lookup(%s): %s", key, res);
+		++lookup_count;
+
+		if ( lookup_count == lookup_expect_count )
+			event test_erase();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+event bro_init()
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	h = Store::create_master("master");
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	do_lookup("one");
+	do_lookup("two");
+	do_lookup("myset");
+	do_lookup("four");
+	do_lookup("myvec");
+	}

From 441c46df76e3a7e0e50877d66d5c9f7dee081ce9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 3 Feb 2015 11:09:39 -0600
Subject: [PATCH 023/109] broker integration: add unit test for store clones

---
 aux/broker                                    |   2 +-
 src/comm/Data.h                               |   1 +
 src/comm/Manager.cc                           |  29 ++++-
 src/comm/Manager.h                            |   7 +-
 src/comm/Store.h                              |  13 +-
 src/comm/store.bif                            |  64 +++++++---
 .../Baseline/comm.clone_store/clone.clone.out |   5 +
 .../comm.clone_store/master.master.out        |   0
 testing/btest/comm/clone_store.bro            | 114 ++++++++++++++++++
 9 files changed, 205 insertions(+), 30 deletions(-)
 create mode 100644 testing/btest/Baseline/comm.clone_store/clone.clone.out
 create mode 100644 testing/btest/Baseline/comm.clone_store/master.master.out
 create mode 100644 testing/btest/comm/clone_store.bro

diff --git a/aux/broker b/aux/broker
index 177bdfac2c..c217119d9a 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 177bdfac2c768d9ed8f3edb10e9e2dbd0d6f8723
+Subproject commit c217119d9a484da941161d182cdc0a1f86a0d40f
diff --git a/src/comm/Data.h b/src/comm/Data.h
index c720dcda71..da10853127 100644
--- a/src/comm/Data.h
+++ b/src/comm/Data.h
@@ -27,6 +27,7 @@ broker::util::optional<broker::data> val_to_data(Val* v);
 
 Val* data_to_val(broker::data d, BroType* type);
 
+// TODO: actually need to implement Bro's serialization to support copying vals
 class DataVal : public OpaqueVal {
 public:
 
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 0b887d4f37..3d6aad4d1e 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -23,7 +23,7 @@ int comm::Manager::send_flags_unsolicited_idx;
 comm::Manager::~Manager()
 	{
 	for ( auto& s : data_stores )
-		CloseStore(s.first);
+		CloseStore(s.first.first, s.first.second);
 	}
 
 bool comm::Manager::InitPreScript()
@@ -741,17 +741,34 @@ bool comm::Manager::AddStore(StoreHandleVal* handle)
 	if ( ! handle->store )
 		return false;
 
-	if ( data_stores.find(handle->store->id()) != data_stores.end() )
+	auto key = make_pair(handle->store->id(), handle->store_type);
+
+	if ( data_stores.find(key) != data_stores.end() )
 		return false;
 
-	data_stores[handle->store->id()] = handle;
+	data_stores[key] = handle;
 	Ref(handle);
 	return true;
 	}
 
-bool comm::Manager::CloseStore(const broker::store::identifier& id)
+comm::StoreHandleVal*
+comm::Manager::LookupStore(const broker::store::identifier& id,
+                           comm::StoreType type)
 	{
-	auto it = data_stores.find(id);
+	auto key = make_pair(id, type);
+	auto it = data_stores.find(key);
+
+	if ( it == data_stores.end() )
+		return nullptr;
+
+	return it->second;
+	}
+
+bool comm::Manager::CloseStore(const broker::store::identifier& id,
+                               StoreType type)
+	{
+	auto key = make_pair(id, type);
+	auto it = data_stores.find(key);
 
 	if ( it == data_stores.end() )
 		return false;
@@ -760,7 +777,7 @@ bool comm::Manager::CloseStore(const broker::store::identifier& id)
 		{
 		auto query = *it;
 
-		if ( query->StoreID() == id )
+		if ( query->GetStoreType() == type && query->StoreID() == id )
 			{
 			it = pending_queries.erase(it);
 			query->Abort();
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index c9cc2c8464..31fdfa56c1 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -63,7 +63,9 @@ public:
 
 	bool AddStore(StoreHandleVal* handle);
 
-	bool CloseStore(const broker::store::identifier& id);
+	StoreHandleVal* LookupStore(const broker::store::identifier& id, StoreType type);
+
+	bool CloseStore(const broker::store::identifier& id, StoreType type);
 
 	bool TrackStoreQuery(StoreQueryCallback* cb);
 
@@ -91,7 +93,8 @@ private:
 	std::map<std::string, broker::message_queue> event_subscriptions;
 	std::map<std::string, broker::message_queue> log_subscriptions;
 
-	std::map<broker::store::identifier, StoreHandleVal*> data_stores;
+	std::map<std::pair<broker::store::identifier, StoreType>,
+	         StoreHandleVal*> data_stores;
 	std::unordered_set<StoreQueryCallback*> pending_queries;
 
 	static VectorType* vector_of_data_type;
diff --git a/src/comm/Store.h b/src/comm/Store.h
index b3a8ccb339..3183afbbb3 100644
--- a/src/comm/Store.h
+++ b/src/comm/Store.h
@@ -56,8 +56,10 @@ class StoreQueryCallback {
 public:
 
 	StoreQueryCallback(Trigger* arg_trigger, const CallExpr* arg_call,
-					   broker::store::identifier arg_store_id)
-		: trigger(arg_trigger), call(arg_call), store_id(move(arg_store_id))
+					   broker::store::identifier arg_store_id,
+	                   StoreType arg_store_type)
+		: trigger(arg_trigger), call(arg_call), store_id(move(arg_store_id)),
+	      store_type(arg_store_type)
 		{
 		Ref(trigger);
 		}
@@ -85,13 +87,20 @@ public:
 	const broker::store::identifier& StoreID() const
 		{ return store_id; }
 
+	StoreType GetStoreType() const
+		{ return store_type; }
+
 private:
 
 	Trigger* trigger;
 	const CallExpr* call;
 	broker::store::identifier store_id;
+	StoreType store_type;
 };
 
+// TODO: actually need to implement Bro's serialization to support copying vals
+// but doesn't make sense to "copy" a master data store, so assert we can
+// lookup a store by <id, type> pair locally (i.e. shouldn't send handles remotely).
 class StoreHandleVal : public OpaqueVal {
 public:
 
diff --git a/src/comm/store.bif b/src/comm/store.bif
index 176e55268e..7d09704d31 100644
--- a/src/comm/store.bif
+++ b/src/comm/store.bif
@@ -25,10 +25,20 @@ enum BackendType %{
 function Store::create_master%(id: string, b: BackendType &default = MEMORY,
                                options: BackendOptions &default = BackendOptions()%): opaque of Store::Handle
 	%{
-	auto rval = new comm::StoreHandleVal(id->CheckString(), comm::StoreType::MASTER,
-	                                     static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
-	                                     options->AsRecordVal());
-	comm_mgr->AddStore(rval);
+	auto id_str = id->CheckString();
+	auto type = comm::StoreType::MASTER;
+	auto rval = comm_mgr->LookupStore(id_str, type);
+
+	if ( rval )
+		{
+		Ref(rval);
+		return rval;
+		}
+
+	rval = new comm::StoreHandleVal(id_str, type,
+	                                static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
+	                                options->AsRecordVal());
+	assert(comm_mgr->AddStore(rval));
 	return rval;
 	%}
 
@@ -36,25 +46,39 @@ function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
                               options: BackendOptions &default = BackendOptions(),
                               resync: interval &default = 1sec%): opaque of Store::Handle
 	%{
-	auto rval = new comm::StoreHandleVal(id->CheckString(), comm::StoreType::CLONE,
-	                                     static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
-	                                     options->AsRecordVal(),
-	                                     std::chrono::duration<double>(resync));
-	comm_mgr->AddStore(rval);
+	auto id_str = id->CheckString();
+	auto type = comm::StoreType::CLONE;
+	auto rval = comm_mgr->LookupStore(id_str, type);
+
+	if ( rval )
+		{
+		Ref(rval);
+		return rval;
+		}
+
+	rval = new comm::StoreHandleVal(id_str, type,
+	                                static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
+	                                options->AsRecordVal(),
+	                                std::chrono::duration<double>(resync));
+	assert(comm_mgr->AddStore(rval));
 	return rval;
 	%}
 
 function Store::create_frontend%(id: string%): opaque of Store::Handle
 	%{
-	auto rval = new comm::StoreHandleVal(id->CheckString(), comm::StoreType::FRONTEND,
-	                                     {}, nullptr);
-	comm_mgr->AddStore(rval);
-	return rval;
-	%}
+	auto id_str = id->CheckString();
+	auto type = comm::StoreType::FRONTEND;
+	auto rval = comm_mgr->LookupStore(id_str, type);
 
-function Store::close_by_name%(id: string%): bool
-	%{
-	return new Val(comm_mgr->CloseStore(id->CheckString()), TYPE_BOOL);
+	if ( rval )
+		{
+		Ref(rval);
+		return rval;
+		}
+
+	rval = new comm::StoreHandleVal(id_str, type, {}, nullptr);
+	assert(comm_mgr->AddStore(rval));
+	return rval;
 	%}
 
 function Store::close_by_handle%(h: opaque of Store::Handle%): bool
@@ -64,7 +88,8 @@ function Store::close_by_handle%(h: opaque of Store::Handle%): bool
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	return new Val(comm_mgr->CloseStore(handle->store->id()), TYPE_BOOL);
+	return new Val(comm_mgr->CloseStore(handle->store->id(),
+										handle->store_type), TYPE_BOOL);
 	%}
 
 ###########################
@@ -264,7 +289,8 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
     frame->SetDelayed();
     trigger->Hold();
     *cb = new comm::StoreQueryCallback(trigger, frame->GetCall(),
-                                       (*handle)->store->id());
+                                       (*handle)->store->id(),
+                                       (*handle)->store_type);
     comm_mgr->TrackStoreQuery(*cb);
     return true;
     }
diff --git a/testing/btest/Baseline/comm.clone_store/clone.clone.out b/testing/btest/Baseline/comm.clone_store/clone.clone.out
new file mode 100644
index 0000000000..8a7c89a19b
--- /dev/null
+++ b/testing/btest/Baseline/comm.clone_store/clone.clone.out
@@ -0,0 +1,5 @@
+clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
+lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]]
+lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]]
+lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
diff --git a/testing/btest/Baseline/comm.clone_store/master.master.out b/testing/btest/Baseline/comm.clone_store/master.master.out
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
new file mode 100644
index 0000000000..03e0fe172f
--- /dev/null
+++ b/testing/btest/comm/clone_store.bro
@@ -0,0 +1,114 @@
+# @TEST_SERIALIZE: brokercomm
+# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro >master.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
+# @TEST-EXEC: btest-diff master/master.out
+
+@TEST-START-FILE clone.bro
+
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global expected_key_count = 4;
+global key_count = 0;
+
+event done()
+	{
+	terminate();
+	}
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		if ( key_count == expected_key_count )
+			event done();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event ready()
+	{
+	h = Store::create_clone("mystore");
+
+	when ( local res = Store::keys(h) )
+		{
+		print "clone keys", res;
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::subscribe_to_events("bro/event/ready");
+	Comm::auto_event("bro/event/done", done);
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE master.bro
+
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global ready: event();
+
+event done()
+	{
+	terminate();
+	}
+
+event Comm::remote_connection_established(peer_address: string,
+                                          peer_port: port,
+                                          peer_name: string)
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	h = Store::create_master("mystore");
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+
+	when ( local res = Store::size(h) )
+		{ event ready(); }
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	Comm::auto_event("bro/event/ready", ready);
+	Comm::subscribe_to_events("bro/event/done");
+	}
+
+@TEST-END-FILE

From bb9e6583e0b113aa82553c4f55341034d61d87a2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 3 Feb 2015 13:54:40 -0600
Subject: [PATCH 024/109] broker integration: Comm::Data/Store::Handle opaque
 serialization

For now, this is needed when locally cloning Vals.  E.g. "when"
statements will clone an entire frame and data store queries use "when"
statements, so it's likely there will be locals of these opaque types
that get cloned.
---
 src/SerialTypes.h       |  2 +
 src/comm/CMakeLists.txt |  3 ++
 src/comm/Data.cc        | 34 +++++++++++++++++
 src/comm/Data.h         |  8 +++-
 src/comm/Manager.cc     |  1 +
 src/comm/Store.cc       | 82 +++++++++++++++++++++++++++++++++++++----
 src/comm/Store.h        | 12 ++++--
 7 files changed, 130 insertions(+), 12 deletions(-)

diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index d2f227838c..4e6bbb11ac 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -113,6 +113,8 @@ SERIAL_VAL(TOPK_VAL, 20)
 SERIAL_VAL(BLOOMFILTER_VAL, 21)
 SERIAL_VAL(CARDINALITY_VAL, 22)
 SERIAL_VAL(X509_VAL, 23)
+SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
+SERIAL_VAL(COMM_DATA_VAL, 25)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
diff --git a/src/comm/CMakeLists.txt b/src/comm/CMakeLists.txt
index da726e54d6..6453e006bf 100644
--- a/src/comm/CMakeLists.txt
+++ b/src/comm/CMakeLists.txt
@@ -10,6 +10,9 @@ if ( ROCKSDB_INCLUDE_DIR )
     include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
 endif ()
 
+include_directories(BEFORE ${LIBCAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${LIBCAF_INCLUDE_DIR_IO})
+
 set(comm_SRCS
     Data.cc
     Manager.cc
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index 3b1a240988..0ea7666f9e 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -1,5 +1,7 @@
 #include "Data.h"
 #include "comm/data.bif.h"
+#include <caf/binary_serializer.hpp>
+#include <caf/binary_deserializer.hpp>
 
 using namespace std;
 
@@ -663,3 +665,35 @@ broker::data& comm::opaque_field_to_data(RecordVal* v, Frame* f)
 
 	return static_cast<DataVal*>(d)->data;
 	}
+
+IMPLEMENT_SERIAL(comm::DataVal, SER_COMM_DATA_VAL);
+
+bool comm::DataVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_COMM_DATA_VAL, OpaqueVal);
+
+	std::string serial;
+	caf::binary_serializer bs(std::back_inserter(serial));
+	bs << data;
+
+	if ( ! SERIALIZE_STR(serial.data(), serial.size()) )
+		return false;
+
+	return true;
+	}
+
+bool comm::DataVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal);
+
+	const char* serial;
+	int len;
+
+	if ( ! UNSERIALIZE_STR(&serial, &len) )
+		return false;
+
+	caf::binary_deserializer bd(serial, len);
+	caf::uniform_typeid<broker::data>()->deserialize(&data, &bd);
+	delete [] serial;
+	return true;
+	}
diff --git a/src/comm/Data.h b/src/comm/Data.h
index da10853127..ed3c16f677 100644
--- a/src/comm/Data.h
+++ b/src/comm/Data.h
@@ -27,7 +27,6 @@ broker::util::optional<broker::data> val_to_data(Val* v);
 
 Val* data_to_val(broker::data d, BroType* type);
 
-// TODO: actually need to implement Bro's serialization to support copying vals
 class DataVal : public OpaqueVal {
 public:
 
@@ -42,7 +41,14 @@ public:
 		d->Add("}");
 		}
 
+	DECLARE_SERIAL(DataVal);
+
 	broker::data data;
+
+protected:
+
+	DataVal()
+		{}
 };
 
 struct type_name_getter {
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 3d6aad4d1e..cfce84a1c9 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -787,6 +787,7 @@ bool comm::Manager::CloseStore(const broker::store::identifier& id,
 			++it;
 		}
 
+	delete it->second->store;
 	it->second->store = nullptr;
 	Unref(it->second);
 	return true;
diff --git a/src/comm/Store.cc b/src/comm/Store.cc
index 0d94795ce8..8c55c31785 100644
--- a/src/comm/Store.cc
+++ b/src/comm/Store.cc
@@ -78,17 +78,15 @@ comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
 
 	switch ( store_type ) {
 	case StoreType::FRONTEND:
-		store.reset(new broker::store::frontend(comm_mgr->Endpoint(),
-		                                        move(id)));
+		store = new broker::store::frontend(comm_mgr->Endpoint(), move(id));
 		break;
 	case StoreType::MASTER:
-		store.reset(new broker::store::master(comm_mgr->Endpoint(),
-		                                      move(id), move(backend)));
+		store = new broker::store::master(comm_mgr->Endpoint(), move(id),
+		                                  move(backend));
 		break;
 	case StoreType::CLONE:
-		store.reset(new broker::store::clone(comm_mgr->Endpoint(),
-		                                     move(id), resync,
-		                                     move(backend)));
+		store = new broker::store::clone(comm_mgr->Endpoint(), move(id), resync,
+		                                 move(backend));
 		break;
 	default:
 		reporter->FatalError("unknown data store type: %d",
@@ -139,3 +137,73 @@ void comm::StoreHandleVal::ValDescribe(ODesc* d) const
 
 	d->Add("}");
 	}
+
+IMPLEMENT_SERIAL(comm::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
+
+bool comm::StoreHandleVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_COMM_STORE_HANDLE_VAL, OpaqueVal);
+
+	bool have_store = store != nullptr;
+
+	if ( ! SERIALIZE(have_store) )
+		return false;
+
+	if ( ! have_store )
+		return true;
+
+	if ( ! SERIALIZE(static_cast<int>(store_type)) )
+		return false;
+
+	if ( ! SERIALIZE_STR(store->id().data(), store->id().size()) )
+		return false;
+
+	return true;
+	}
+
+bool comm::StoreHandleVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal);
+
+	bool have_store;
+
+	if ( ! UNSERIALIZE(&have_store) )
+		return false;
+
+	if ( ! have_store )
+		{
+		store = nullptr;
+		return true;
+		}
+
+	int type;
+
+	if ( ! UNSERIALIZE(&type) )
+		return false;
+
+	const char* id_str;
+	int len;
+
+	if ( ! UNSERIALIZE_STR(&id_str, &len) )
+		return false;
+
+	broker::store::identifier id(id_str, len);
+	delete [] id_str;
+
+	auto handle = comm_mgr->LookupStore(id, static_cast<comm::StoreType>(type));
+
+	if ( ! handle )
+		{
+		// Passing serialized version of store handles to other Bro processes
+		// doesn't make sense, only allow local clones of the handle val.
+		reporter->Error("failed to look up unserialized store handle %s, %d",
+		                id.data(), type);
+		store = nullptr;
+		return false;
+		}
+
+	store = handle->store;
+	store_type = handle->store_type;
+	backend_type = handle->backend_type;
+	return true;
+	}
diff --git a/src/comm/Store.h b/src/comm/Store.h
index 3183afbbb3..b02c5b4f5b 100644
--- a/src/comm/Store.h
+++ b/src/comm/Store.h
@@ -98,9 +98,6 @@ private:
 	StoreType store_type;
 };
 
-// TODO: actually need to implement Bro's serialization to support copying vals
-// but doesn't make sense to "copy" a master data store, so assert we can
-// lookup a store by <id, type> pair locally (i.e. shouldn't send handles remotely).
 class StoreHandleVal : public OpaqueVal {
 public:
 
@@ -112,9 +109,16 @@ public:
 
     void ValDescribe(ODesc* d) const override;
 
-	std::unique_ptr<broker::store::frontend> store;
+	DECLARE_SERIAL(StoreHandleVal);
+
+	broker::store::frontend* store;
 	comm::StoreType store_type;
 	broker::util::optional<BifEnum::Store::BackendType> backend_type;
+
+protected:
+
+	StoreHandleVal()
+		{}
 };
 
 } // namespace comm

From 0cf982f1d1f9d4db458b32fdba5d068bb358c115 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 3 Feb 2015 15:11:16 -0600
Subject: [PATCH 025/109] broker integration: process debug/diagnostic reports
 from broker

---
 aux/broker          |  2 +-
 src/DebugLogger.cc  |  2 +-
 src/DebugLogger.h   |  1 +
 src/comm/Manager.cc | 59 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index c217119d9a..0760c6808c 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit c217119d9a484da941161d182cdc0a1f86a0d40f
+Subproject commit 0760c6808c1d035b7e9f484daefe8ba0a3d6ee13
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 6f025e3c2b..3ce5d92888 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -19,7 +19,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "logging", 0, false }, {"input", 0, false },
 	{ "threading", 0, false }, { "file_analysis", 0, false },
 	{ "plugins", 0, false }, { "broxygen", 0, false },
-	{ "pktio", 0, false}
+	{ "pktio", 0, false }, { "broker", 0, false }
 };
 
 DebugLogger::DebugLogger(const char* filename)
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 9cd09dada1..13124657e7 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -32,6 +32,7 @@ enum DebugStream {
 	DBG_PLUGINS,	// Plugin system
 	DBG_BROXYGEN,	// Broxygen
 	DBG_PKTIO,	// Packet sources and dumpers.
+	DBG_BROKER,	// Broker communication
 
 	NUM_DBGS // Has to be last
 };
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index cfce84a1c9..443c5f90da 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -2,6 +2,7 @@
 #include "Data.h"
 #include "Store.h"
 #include <broker/broker.hh>
+#include <broker/report.hh>
 #include <cstdio>
 #include <unistd.h>
 #include "util.h"
@@ -11,6 +12,7 @@
 #include "comm/messaging.bif.h"
 #include "comm/store.bif.h"
 #include "logging/Manager.h"
+#include "DebugLogger.h"
 
 using namespace std;
 
@@ -67,6 +69,15 @@ bool comm::Manager::InitPostScript()
 		return false;
 		}
 
+	res = broker::report::init(true);
+
+	if ( res )
+		{
+		fprintf(stderr, "broker::report::init failed: %s\n",
+		        broker::strerror(res));
+		return false;
+		}
+
 	const char* name;
 	auto name_from_script = internal_val("Comm::endpoint_name")->AsString();
 
@@ -398,6 +409,8 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 
 	for ( const auto& s : data_stores )
 		read->Insert(s.second->store->responses().fd());
+
+	read->Insert(broker::report::default_queue->fd());
 	}
 
 double comm::Manager::NextTimestamp(double* local_network_time)
@@ -733,6 +746,52 @@ void comm::Manager::Process()
 			}
 		}
 
+	auto reports = broker::report::default_queue->want_pop();
+
+	if ( ! reports.empty() )
+		{
+		idle = false;
+
+		for ( auto& report : reports )
+			{
+			if ( report.size() < 2 )
+				{
+				reporter->Warning("got broker report msg of size %zu, expect 4",
+				                  report.size());
+				continue;
+				}
+
+			uint64_t* level = broker::get<uint64_t>(report[1]);
+
+			if ( ! level )
+				{
+				reporter->Warning("got broker report msg w/ bad level type: %d",
+				                  static_cast<int>(broker::which(report[1])));
+				continue;
+				}
+
+			auto lvl = static_cast<broker::report::level>(*level);
+
+			switch ( lvl ) {
+			case broker::report::level::debug:
+				DBG_LOG(DBG_BROKER, broker::to_string(report).data());
+				break;
+			case broker::report::level::info:
+				reporter->Info("broker info: %s",
+				               broker::to_string(report).data());
+				break;
+			case broker::report::level::warn:
+				reporter->Warning("broker warning: %s",
+				                  broker::to_string(report).data());
+				break;
+			case broker::report::level::error:
+				reporter->Error("broker error: %s",
+				                broker::to_string(report).data());
+				break;
+			}
+			}
+		}
+
 	SetIdle(idle);
 	}
 

From 4dfec041352298b32d857f715b04a8be722bf89b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 3 Feb 2015 16:38:56 -0600
Subject: [PATCH 026/109] broker integration: add Comm::enable function

Works like old enable_communication(), but for new broker communication
mechanism.  Scripts have to explicitly call this if they want to use the
broker communication functionality.  Saves a decent chunk of Bros'
initialization time when one doesn't need communication features.
---
 src/Net.cc                           | 13 ++++-
 src/comm/CMakeLists.txt              |  1 +
 src/comm/Manager.cc                  | 72 +++++++++++++++++++++++++---
 src/comm/Manager.h                   |  5 +-
 src/comm/comm.bif                    | 13 +++++
 src/main.cc                          | 11 -----
 testing/btest/comm/clone_store.bro   |  2 +
 testing/btest/comm/data.bro          |  1 +
 testing/btest/comm/master_store.bro  |  1 +
 testing/btest/comm/remote_event.test |  2 +
 testing/btest/comm/remote_log.test   | 11 +++--
 testing/btest/comm/remote_print.test |  2 +
 12 files changed, 108 insertions(+), 26 deletions(-)
 create mode 100644 src/comm/comm.bif

diff --git a/src/Net.cc b/src/Net.cc
index adac9c02fd..3acd4bce9d 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -34,6 +34,10 @@
 #include "iosource/PktDumper.h"
 #include "plugin/Manager.h"
 
+#ifdef ENABLE_BROKER
+#include "comm/Manager.h"
+#endif
+
 extern "C" {
 #include "setsignal.h"
 };
@@ -315,6 +319,11 @@ void net_run()
 			}
 #endif
 		current_iosrc = src;
+		bool communication_enabled = using_communication;
+
+#ifdef ENABLE_BROKER
+		communication_enabled |= comm_mgr->Enabled();
+#endif
 
 		if ( src )
 			src->Process();	// which will call net_packet_dispatch()
@@ -332,7 +341,7 @@ void net_run()
 				}
 			}
 
-		else if ( (have_pending_timers || using_communication) &&
+		else if ( (have_pending_timers || communication_enabled) &&
 			  ! pseudo_realtime )
 			{
 			// Take advantage of the lull to get up to
@@ -347,7 +356,7 @@ void net_run()
 			// us a lot of idle time, but doesn't delay near-term
 			// timers too much.  (Delaying them somewhat is okay,
 			// since Bro timers are not high-precision anyway.)
-			if ( ! using_communication )
+			if ( ! communication_enabled )
 				usleep(100000);
 			else
 				usleep(1000);
diff --git a/src/comm/CMakeLists.txt b/src/comm/CMakeLists.txt
index 6453e006bf..ef41c605c7 100644
--- a/src/comm/CMakeLists.txt
+++ b/src/comm/CMakeLists.txt
@@ -19,6 +19,7 @@ set(comm_SRCS
     Store.cc
 )
 
+bif_target(comm.bif)
 bif_target(data.bif)
 bif_target(messaging.bif)
 bif_target(store.bif)
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 443c5f90da..7db80ebb40 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -13,6 +13,7 @@
 #include "comm/store.bif.h"
 #include "logging/Manager.h"
 #include "DebugLogger.h"
+#include "iosource/Manager.h"
 
 using namespace std;
 
@@ -28,11 +29,6 @@ comm::Manager::~Manager()
 		CloseStore(s.first.first, s.first.second);
 	}
 
-bool comm::Manager::InitPreScript()
-	{
-	return true;
-	}
-
 static int require_field(RecordType* rt, const char* name)
 	{
 	auto rval = rt->FieldOffset(name);
@@ -44,8 +40,11 @@ static int require_field(RecordType* rt, const char* name)
 	return rval;
 	}
 
-bool comm::Manager::InitPostScript()
+bool comm::Manager::Enable()
 	{
+	if ( endpoint != nullptr )
+		return true;
+
 	auto send_flags_type = internal_type("Comm::SendFlags")->AsRecordType();
 	send_flags_self_idx = require_field(send_flags_type, "self");
 	send_flags_peers_idx = require_field(send_flags_type, "peers");
@@ -94,11 +93,15 @@ bool comm::Manager::InitPostScript()
 		}
 
 	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name));
+	iosource_mgr->Register(this, true);
 	return true;
 	}
 
 bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto rval = endpoint->listen(port, addr, reuse_addr);
 
 	if ( ! rval )
@@ -114,6 +117,9 @@ bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
 bool comm::Manager::Connect(string addr, uint16_t port,
                             chrono::duration<double> retry_interval)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto& peer = peers[make_pair(addr, port)];
 
 	if ( peer )
@@ -125,6 +131,9 @@ bool comm::Manager::Connect(string addr, uint16_t port,
 
 bool comm::Manager::Disconnect(const string& addr, uint16_t port)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto it = peers.find(make_pair(addr, port));
 
 	if ( it == peers.end() )
@@ -137,18 +146,27 @@ bool comm::Manager::Disconnect(const string& addr, uint16_t port)
 
 bool comm::Manager::Print(string topic, string msg, Val* flags)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	endpoint->send(move(topic), broker::message{move(msg)}, GetFlags(flags));
 	return true;
 	}
 
 bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	endpoint->send(move(topic), move(msg), flags);
 	return true;
 	}
 
 bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, int flags)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
 
 	if ( ! stream_name )
@@ -176,6 +194,9 @@ bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, int flags)
 
 bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	if ( ! args->Lookup(0) )
 		return false;
 
@@ -198,6 +219,9 @@ bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags)
 
 bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
 		reporter->Error("Comm::auto_event must operate on an event");
@@ -227,6 +251,9 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 bool comm::Manager::AutoEventStop(const string& topic, Val* event)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
 		reporter->Error("Comm::auto_event_stop must operate on an event");
@@ -257,6 +284,9 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event)
 
 RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 	{
+	if ( ! Enabled() )
+		return nullptr;
+
 	auto rval = new RecordVal(BifType::Record::Comm::EventArgs);
 	auto arg_vec = new VectorVal(vector_of_data_type);
 	rval->Assign(1, arg_vec);
@@ -324,6 +354,9 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 
 bool comm::Manager::SubscribeToPrints(string topic_prefix)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto& q = print_subscriptions[topic_prefix];
 
 	if ( q )
@@ -335,11 +368,17 @@ bool comm::Manager::SubscribeToPrints(string topic_prefix)
 
 bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	return print_subscriptions.erase(topic_prefix);
 	}
 
 bool comm::Manager::SubscribeToEvents(string topic_prefix)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto& q = event_subscriptions[topic_prefix];
 
 	if ( q )
@@ -351,11 +390,17 @@ bool comm::Manager::SubscribeToEvents(string topic_prefix)
 
 bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	return event_subscriptions.erase(topic_prefix);
 	}
 
 bool comm::Manager::SubscribeToLogs(string topic_prefix)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto& q = log_subscriptions[topic_prefix];
 
 	if ( q )
@@ -367,6 +412,9 @@ bool comm::Manager::SubscribeToLogs(string topic_prefix)
 
 bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	return log_subscriptions.erase(topic_prefix);
 	}
 
@@ -797,6 +845,9 @@ void comm::Manager::Process()
 
 bool comm::Manager::AddStore(StoreHandleVal* handle)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	if ( ! handle->store )
 		return false;
 
@@ -814,6 +865,9 @@ comm::StoreHandleVal*
 comm::Manager::LookupStore(const broker::store::identifier& id,
                            comm::StoreType type)
 	{
+	if ( ! Enabled() )
+		return nullptr;
+
 	auto key = make_pair(id, type);
 	auto it = data_stores.find(key);
 
@@ -826,6 +880,9 @@ comm::Manager::LookupStore(const broker::store::identifier& id,
 bool comm::Manager::CloseStore(const broker::store::identifier& id,
                                StoreType type)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	auto key = make_pair(id, type);
 	auto it = data_stores.find(key);
 
@@ -854,5 +911,8 @@ bool comm::Manager::CloseStore(const broker::store::identifier& id,
 
 bool comm::Manager::TrackStoreQuery(StoreQueryCallback* cb)
 	{
+	if ( ! Enabled() )
+		return false;
+
 	return pending_queries.insert(cb).second;
 	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 31fdfa56c1..2317ecea2c 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -24,9 +24,10 @@ public:
 
 	~Manager();
 
-	bool InitPreScript();
+	bool Enable();
 
-	bool InitPostScript();
+	bool Enabled()
+		{ return endpoint != nullptr; }
 
 	bool Listen(uint16_t port, const char* addr = nullptr,
 	            bool reuse_addr = true);
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
new file mode 100644
index 0000000000..7f8d85b720
--- /dev/null
+++ b/src/comm/comm.bif
@@ -0,0 +1,13 @@
+
+##! General functions regarding Bro's broker communication mechanisms.
+
+%%{
+#include "comm/Manager.h"
+%%}
+
+module Comm;
+
+function Comm::enable%(%): bool
+	%{
+	return new Val(comm_mgr->Enable(), TYPE_BOOL);
+	%}
diff --git a/src/main.cc b/src/main.cc
index 5385ca7993..3d80833009 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -860,12 +860,6 @@ int main(int argc, char** argv)
 
 #ifdef ENABLE_BROKER
 	comm_mgr = new comm::Manager();
-
-	if ( ! comm_mgr->InitPreScript() )
-		{
-		fprintf(stderr, "Failed to initialize communication manager.");
-		exit(1);
-		}
 #endif
 
 	plugin_mgr->InitPreScript();
@@ -942,11 +936,6 @@ int main(int argc, char** argv)
 		exit(rc);
 		}
 
-#ifdef ENABLE_BROKER
-	comm_mgr->InitPostScript();
-	iosource_mgr->Register(comm_mgr, true);
-#endif
-
 #ifdef USE_PERFTOOLS_DEBUG
 	}
 #endif
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index 03e0fe172f..3ea0347024 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -53,6 +53,7 @@ event ready()
 
 event bro_init()
 	{
+	Comm::enable();
 	Comm::listen(9999/tcp, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/ready");
 	Comm::auto_event("bro/event/done", done);
@@ -106,6 +107,7 @@ event Comm::remote_connection_established(peer_address: string,
 
 event bro_init()
 	{
+	Comm::enable();
 	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
 	Comm::auto_event("bro/event/ready", ready);
 	Comm::subscribe_to_events("bro/event/done");
diff --git a/testing/btest/comm/data.bro b/testing/btest/comm/data.bro
index 3fb9dcd86e..dfbb8fc1d7 100644
--- a/testing/btest/comm/data.bro
+++ b/testing/btest/comm/data.bro
@@ -100,6 +100,7 @@ function comm_vector_to_bro_vector(d: Comm::Data): bro_vector
 
 event bro_init()
 {
+Comm::enable();
 print Comm::data_type(Comm::data(T));
 print Comm::data_type(Comm::data(+1));
 print Comm::data_type(Comm::data(1));
diff --git a/testing/btest/comm/master_store.bro b/testing/btest/comm/master_store.bro
index 84b4ee07a1..a1cc6a8c95 100644
--- a/testing/btest/comm/master_store.bro
+++ b/testing/btest/comm/master_store.bro
@@ -120,6 +120,7 @@ function dv(d: Comm::Data): Comm::DataVector
 
 event bro_init()
 	{
+	Comm::enable();
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
 	h = Store::create_master("master");
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index 9ab9a6b224..f44ed0df10 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -17,6 +17,7 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
+	Comm::enable();
 	Comm::listen(9999/tcp, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/");
 	Comm::auto_event("bro/event/my_topic", auto_event_handler);
@@ -47,6 +48,7 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
+	Comm::enable();
 	Comm::subscribe_to_events("bro/event/my_topic");
 	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
 	}
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index aea88cdc25..7cdc2ab97d 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -23,13 +23,14 @@ export {
 	};
 
 	global log_test: event(rec: Test::Info);
-
-	event bro_init() &priority=5
-		{
-		Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
-		}
 }
 
+event bro_init() &priority=5
+	{
+	Comm::enable();
+	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	}
+
 @TEST-END-FILE
 
 @TEST-START-FILE recv.bro
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
index 48dfd98bed..03e7517f20 100644
--- a/testing/btest/comm/remote_print.test
+++ b/testing/btest/comm/remote_print.test
@@ -14,6 +14,7 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
+	Comm::enable();
 	Comm::listen(9999/tcp, "127.0.0.1");
 	Comm::subscribe_to_prints("bro/print/");
 	}
@@ -38,6 +39,7 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
+	Comm::enable();
 	Comm::subscribe_to_prints("bro/print/my_topic");
 	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
 	}

From 67271ea897e470f6cf2b3484bcc7a6aa4f0622bf Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 3 Feb 2015 17:05:54 -0600
Subject: [PATCH 027/109] Update coverage unit test baselines.

---
 .../canonified_loaded_scripts.log             | 10 +++++--
 .../canonified_loaded_scripts.log             | 10 +++++--
 testing/btest/Baseline/plugins.hooks/output   | 28 +++++++++++++------
 3 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index b94df659b4..7b144198ee 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-10-31-20-38-14
+#open	2015-02-03-22-47-13
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -14,6 +14,8 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/reporter.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+  scripts/base/frameworks/comm/__load__.bro
+    scripts/base/frameworks/comm/main.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -47,6 +49,10 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
+    build/scripts/base/bif/comm.bif.bro
+    build/scripts/base/bif/data.bif.bro
+    build/scripts/base/bif/messaging.bif.bro
+    build/scripts/base/bif/store.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -115,4 +121,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2014-10-31-20-38-14
+#close	2015-02-03-22-47-13
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 67de0fc1dc..b102ad26a5 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-10-31-20-38-48
+#open	2015-02-03-22-47-15
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -14,6 +14,8 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/reporter.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+  scripts/base/frameworks/comm/__load__.bro
+    scripts/base/frameworks/comm/main.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -47,6 +49,10 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
+    build/scripts/base/bif/comm.bif.bro
+    build/scripts/base/bif/data.bif.bro
+    build/scripts/base/bif/messaging.bif.bro
+    build/scripts/base/bif/store.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -247,4 +253,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-10-31-20-38-48
+#close	2015-02-03-22-47-15
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 927a64692f..e198d94048 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -191,7 +191,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
@@ -285,8 +285,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
@@ -401,10 +401,12 @@
 0.000000   MetaHookPost  LoadFile(./bro.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./broxygen.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./comm.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./consts) -> -1
 0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./contents) -> -1
+0.000000   MetaHookPost  LoadFile(./data.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
 0.000000   MetaHookPost  LoadFile(./entities) -> -1
 0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
@@ -425,6 +427,7 @@
 0.000000   MetaHookPost  LoadFile(./main) -> -1
 0.000000   MetaHookPost  LoadFile(./main.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./max) -> -1
+0.000000   MetaHookPost  LoadFile(./messaging.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./min) -> -1
 0.000000   MetaHookPost  LoadFile(./mozilla-ca-list) -> -1
 0.000000   MetaHookPost  LoadFile(./netstats) -> -1
@@ -440,6 +443,7 @@
 0.000000   MetaHookPost  LoadFile(./sftp) -> -1
 0.000000   MetaHookPost  LoadFile(./site) -> -1
 0.000000   MetaHookPost  LoadFile(./std-dev) -> -1
+0.000000   MetaHookPost  LoadFile(./store.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./strings.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./sum) -> -1
 0.000000   MetaHookPost  LoadFile(./top-k.bif.bro) -> -1
@@ -474,6 +478,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/analyzer.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/comm) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
@@ -730,7 +735,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
@@ -824,8 +829,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
@@ -940,10 +945,12 @@
 0.000000   MetaHookPre   LoadFile(./bro.bif.bro)
 0.000000   MetaHookPre   LoadFile(./broxygen.bif.bro)
 0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
+0.000000   MetaHookPre   LoadFile(./comm.bif.bro)
 0.000000   MetaHookPre   LoadFile(./const.bif.bro)
 0.000000   MetaHookPre   LoadFile(./consts)
 0.000000   MetaHookPre   LoadFile(./consts.bro)
 0.000000   MetaHookPre   LoadFile(./contents)
+0.000000   MetaHookPre   LoadFile(./data.bif.bro)
 0.000000   MetaHookPre   LoadFile(./dcc-send)
 0.000000   MetaHookPre   LoadFile(./entities)
 0.000000   MetaHookPre   LoadFile(./event.bif.bro)
@@ -964,6 +971,7 @@
 0.000000   MetaHookPre   LoadFile(./main)
 0.000000   MetaHookPre   LoadFile(./main.bro)
 0.000000   MetaHookPre   LoadFile(./max)
+0.000000   MetaHookPre   LoadFile(./messaging.bif.bro)
 0.000000   MetaHookPre   LoadFile(./min)
 0.000000   MetaHookPre   LoadFile(./mozilla-ca-list)
 0.000000   MetaHookPre   LoadFile(./netstats)
@@ -979,6 +987,7 @@
 0.000000   MetaHookPre   LoadFile(./sftp)
 0.000000   MetaHookPre   LoadFile(./site)
 0.000000   MetaHookPre   LoadFile(./std-dev)
+0.000000   MetaHookPre   LoadFile(./store.bif.bro)
 0.000000   MetaHookPre   LoadFile(./strings.bif.bro)
 0.000000   MetaHookPre   LoadFile(./sum)
 0.000000   MetaHookPre   LoadFile(./top-k.bif.bro)
@@ -1013,6 +1022,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/analyzer.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(base<...>/comm)
 0.000000   MetaHookPre   LoadFile(base<...>/communication)
 0.000000   MetaHookPre   LoadFile(base<...>/conn)
 0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
@@ -1269,7 +1279,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1363,8 +1373,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1423003752.294979, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )

From 9592f6422530aff4873d31453954acacd6034e43 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 5 Feb 2015 12:44:10 -0500
Subject: [PATCH 028/109] Update the SOCKS analyzer to support user/pass login.

 - This addresses BIT-1011
 - Add a new field to socks.log; "password".
 - Two new events; socks_login_userpass and socks_login_reply.
 - One new weird for unsupported authentication method.
 - A new test for authenticated socks traffic.
 - Credit to Nicolas Retrain for the initial patch.  Thanks!
---
 scripts/base/protocols/socks/main.bro         |  22 ++++++-
 src/analyzer/protocol/socks/SOCKS.cc          |   3 +-
 src/analyzer/protocol/socks/events.bif        |  16 +++++
 .../protocol/socks/socks-analyzer.pac         |  40 ++++++++++++
 .../protocol/socks/socks-protocol.pac         |  57 +++++++++++++++---
 .../socks.log                                 |  10 +++
 .../tunnel.log                                |  10 +++
 .../socks.log                                 |  10 +--
 .../socks.log                                 |  10 +--
 testing/btest/Traces/socks-auth.pcap          | Bin 0 -> 1326 bytes
 .../base/protocols/socks/socks-auth.bro       |   5 ++
 11 files changed, 162 insertions(+), 21 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log
 create mode 100644 testing/btest/Traces/socks-auth.pcap
 create mode 100644 testing/btest/scripts/base/protocols/socks/socks-auth.bro

diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index 713161d442..f60c3ce41c 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -16,8 +16,10 @@ export {
 		id:          conn_id         &log;
 		## Protocol version of SOCKS.
 		version:     count           &log;
-		## Username for the proxy if extracted from the network.
+		## Username used to request a login to the proxy.
 		user:        string          &log &optional;
+		## Password used to request a login to the proxy.
+		password:    string          &log &optional;
 		## Server status for the attempt at using the proxy.
 		status:      string          &log &optional;
 		## Client requested SOCKS address. Could be an address, a name
@@ -91,3 +93,21 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 	if ( "SOCKS" in c$service )
 		Log::write(SOCKS::LOG, c$socks);
 	}
+
+event socks_login_userpass(c: connection, user: string, password: string) &priority=5
+	{
+	# Authentication only possible with the version 5.
+	set_session(c, 5); 
+
+	c$socks$user = user;
+	c$socks$password = password;
+	}
+
+event socks_login_reply(c: connection, code: count) &priority=5
+	{
+	# Authentication only possible with the version 5.
+	set_session(c, 5);
+
+	c$socks$status = v5_status[code];
+	}
+
diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc
index e678528f35..ec1e85653b 100644
--- a/src/analyzer/protocol/socks/SOCKS.cc
+++ b/src/analyzer/protocol/socks/SOCKS.cc
@@ -57,8 +57,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		// with the rest of the conneciton.
 		//
 		// Note that we assume that no payload data arrives before both endpoints
-		// are done with there part of the SOCKS protocol.
-
+		// are done with their part of the SOCKS protocol.
 		if ( ! pia )
 			{
 			pia = new pia::PIA_TCP(Conn());
diff --git a/src/analyzer/protocol/socks/events.bif b/src/analyzer/protocol/socks/events.bif
index 4f1f8ad1cd..ece69140a1 100644
--- a/src/analyzer/protocol/socks/events.bif
+++ b/src/analyzer/protocol/socks/events.bif
@@ -27,3 +27,19 @@ event socks_request%(c: connection, version: count, request_type: count, sa: SOC
 ## p: The destination port for the proxied traffic.
 event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%);
 
+## Generated when a SOCKS client performs username and password based login.
+##
+## c: The parent connection of the proxy.
+##
+## user: The given username.
+##
+## password: The given password.
+event socks_login_userpass%(c: connection, user: string, password: string%);
+
+## Generated when a SOCKS server replies to a login attempt.
+##
+## c: The parent connection of the proxy.
+## 
+## code: The response code for the attempted login.
+event socks_login_reply%(c: connection, code: count%);
+
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index db98b3f4b3..7d634e2f46 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -148,6 +148,31 @@ refine connection SOCKS_Conn += {
 		return true;
 		%}
 
+	function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass): bool
+		%{
+		StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
+		StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
+		
+		BifEvent::generate_socks_login_userpass(bro_analyzer(),
+		                                        bro_analyzer()->Conn(),
+		                                        user, pass);
+		return true;
+		%}
+
+	function socks5_unsupported_authentication(auth_method: uint8): bool
+		%{
+		reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d", auth_method));
+		return true;
+		%}
+	
+	function socks5_auth_reply(reply: SOCKS5_Auth_Reply): bool
+		%{
+		BifEvent::generate_socks_login_reply(bro_analyzer(),
+		                                     bro_analyzer()->Conn(),
+		                                     ${reply.code});
+		return true;
+		%}
+
 	function version_error(version: uint8): bool
 		%{
 		bro_analyzer()->ProtocolViolation(fmt("unsupported/unknown SOCKS version %d", version));
@@ -176,3 +201,18 @@ refine typeattr SOCKS5_Request += &let {
 refine typeattr SOCKS5_Reply += &let {
 	proc: bool = $context.connection.socks5_reply(this);
 };
+
+refine typeattr SOCKS5_Auth_Negotiation_Reply += &let {
+};
+
+refine typeattr SOCKS5_Auth_Request_UserPass += &let {
+	proc: bool = $context.connection.socks5_auth_request_userpass(this);
+};
+
+refine typeattr SOCKS5_Auth_Reply += &let {
+	proc: bool = $context.connection.socks5_auth_reply(this);
+};
+
+refine typeattr SOCKS5_Unsupported_Authentication += &let {
+	proc: bool = $context.connection.socks5_unsupported_authentication($context.connection.v5_auth_method());
+};
diff --git a/src/analyzer/protocol/socks/socks-protocol.pac b/src/analyzer/protocol/socks/socks-protocol.pac
index 05ca4bc861..4e48ea0672 100644
--- a/src/analyzer/protocol/socks/socks-protocol.pac
+++ b/src/analyzer/protocol/socks/socks-protocol.pac
@@ -2,9 +2,10 @@
 type SOCKS_Version(is_orig: bool) = record {
 	version: uint8;
 	msg:     case version of {
-		4       -> socks4_msg:     SOCKS4_Message(is_orig);
-		5       -> socks5_msg:     SOCKS5_Message(is_orig);
-		default -> socks_msg_fail: SOCKS_Version_Error(version);
+		1       -> socks5_auth_msg: SOCKS5_Auth_Message(is_orig);
+		4       -> socks4_msg:      SOCKS4_Message(is_orig);
+		5       -> socks5_msg:      SOCKS5_Message(is_orig);
+		default -> socks_msg_fail:  SOCKS_Version_Error(version);
 	};
 };
 
@@ -14,10 +15,11 @@ type SOCKS_Version_Error(version: uint8) = record {
 
 # SOCKS5 Implementation
 type SOCKS5_Message(is_orig: bool) = case $context.connection.v5_past_authentication() of {
-	true  -> msg:  SOCKS5_Real_Message(is_orig);
 	false -> auth: SOCKS5_Auth_Negotiation(is_orig);
+	true  -> msg:  SOCKS5_Real_Message(is_orig);
 };
 
+
 type SOCKS5_Auth_Negotiation(is_orig: bool) = case is_orig of {
 	true  -> req:  SOCKS5_Auth_Negotiation_Request;
 	false -> rep:  SOCKS5_Auth_Negotiation_Reply;
@@ -32,6 +34,32 @@ type SOCKS5_Auth_Negotiation_Reply = record {
 	selected_auth_method: uint8;
 } &let {
 	past_auth = $context.connection.set_v5_past_authentication();
+	set_auth = $context.connection.set_v5_auth_method(selected_auth_method);
+};
+
+type SOCKS5_Auth_Message(is_orig: bool) = case is_orig of {
+	true  -> req: SOCKS5_Auth_Request;
+	false -> rep: SOCKS5_Auth_Reply;
+};
+
+type SOCKS5_Auth_Request = case $context.connection.v5_auth_method() of {
+	0x02    -> userpass    : SOCKS5_Auth_Request_UserPass;
+	default -> unsupported : SOCKS5_Unsupported_Authentication;
+};
+
+type SOCKS5_Unsupported_Authentication = record {
+	crap: bytestring &restofdata;
+};
+
+type SOCKS5_Auth_Request_UserPass = record {
+	ulen     : uint8;
+	username : bytestring &length=ulen;
+	plen     : uint8;
+	password : bytestring &length=plen;
+};
+
+type SOCKS5_Auth_Reply = record {
+	code : uint8;
 };
 
 type SOCKS5_Real_Message(is_orig: bool) = case is_orig of {
@@ -55,10 +83,10 @@ type SOCKS5_Address = record {
 } &byteorder = bigendian;
 
 type SOCKS5_Request = record {
-	command: uint8;
-	reserved: uint8;
-	remote_name: SOCKS5_Address;
-	port: uint16;
+	command     : uint8;
+	reserved    : uint8;
+	remote_name : SOCKS5_Address;
+	port        : uint16;
 } &byteorder = bigendian;
 
 type SOCKS5_Reply = record {
@@ -99,10 +127,12 @@ type SOCKS4_Reply = record {
 refine connection SOCKS_Conn += {
 	%member{
 		bool v5_authenticated_;
+		uint8 selected_auth_method_;
 	%}
 
 	%init{
 		v5_authenticated_ = false;
+		selected_auth_method_ = 255;
 	%}
 
 	function v5_past_authentication(): bool
@@ -115,5 +145,16 @@ refine connection SOCKS_Conn += {
 		v5_authenticated_ = true;
 		return true;
 		%}
+
+	function set_v5_auth_method(method: uint8): bool
+		%{
+		selected_auth_method_ = method;
+		return true;
+		%}
+
+	function v5_auth_method(): uint8
+		%{
+		return selected_auth_method_;
+		%}
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log
new file mode 100644
index 0000000000..cc5fa80191
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	socks
+#open	2015-02-05-16-13-12
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1368517392.724989	CXWv6p3arKYeMETxOg	192.168.0.2	55951	192.168.0.1	1080	5	bob	alice	succeeded	192.168.0.2	-	22	192.168.0.1	-	55951
+#close	2015-02-05-16-13-12
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log
new file mode 100644
index 0000000000..d53238df93
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2015-02-05-16-13-12
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1368517392.728523	-	192.168.0.2	0	192.168.0.1	1080	Tunnel::SOCKS	Tunnel::DISCOVER
+#close	2015-02-05-16-13-12
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log
index 148e4adf02..f69df31b66 100644
--- a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	socks
-#open	2013-08-26-19-04-20
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
-#types	time	string	addr	port	addr	port	count	string	string	addr	string	port	addr	string	port
-1340213015.276495	CjhGID4nQcgTWjvg4c	10.0.0.55	53994	60.190.189.214	8124	5	-	succeeded	-	www.osnews.com	80	192.168.0.31	-	2688
-#close	2013-08-26-19-04-20
+#open	2015-02-05-17-39-14
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1340213015.276495	CjhGID4nQcgTWjvg4c	10.0.0.55	53994	60.190.189.214	8124	5	-	-	succeeded	-	www.osnews.com	80	192.168.0.31	-	2688
+#close	2015-02-05-17-39-14
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log
index d706a11da3..de7b26f875 100644
--- a/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	socks
-#open	2013-08-26-19-04-20
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
-#types	time	string	addr	port	addr	port	count	string	string	addr	string	port	addr	string	port
-1340113261.914619	CXWv6p3arKYeMETxOg	10.0.0.50	59580	85.194.84.197	1080	5	-	succeeded	-	www.google.com	443	0.0.0.0	-	443
-#close	2013-08-26-19-04-20
+#open	2015-02-05-17-39-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1340113261.914619	CXWv6p3arKYeMETxOg	10.0.0.50	59580	85.194.84.197	1080	5	-	-	succeeded	-	www.google.com	443	0.0.0.0	-	443
+#close	2015-02-05-17-39-29
diff --git a/testing/btest/Traces/socks-auth.pcap b/testing/btest/Traces/socks-auth.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1570e229473da081b50bd3906a3263503896de6a
GIT binary patch
literal 1326
zcmaKsPiWIn9LIkzFX_UfGfpY9D5wV$MAW)E5-sZxrA#(N@HTb2xuGEQ<~hefgf^Ff
z?y`ypWlTXt@T54QNb%3Wfs`J-dGe;Xrv84frsSp7!mlJDeDZyt_xrss>(46+s1W^H
zEdYi$=J(*@yAOSE9<Ql%u-0Dg#Q)XWtPbY@^8VBqjHQllfAbg=ELJb6&eQR=GLcpk
zS3hzLKvA_9s-pLUai~Vm8RsgI`A3N?m~B3h0f_wSCQ*s5I`vX<VNZzkU}exLKb(q_
z?JCicEHY1T^uZbY5>;2`oPSwl-kr!CAid?8JV@=wjO=e-!>&?Rx1mE3X;fWA*S{i&
z13igDJP3bxhz&rZ#(^t@okwgesH`BDbqKrYBowqz!IEb><<Gw&to;?2-yq`KZ3djh
zkW|q|b)=4DT|qqAlQ`s*YwtV6Eh1_n<-GwTo>FdsoPSj;elW54rQ$+{kxuPd#Iyhx
zzeOpVI}Dh_gj8KR3;whqrg{=lr+G;xGCp%>M!SCd*6bX?cbQV$q|{SF!HBFN!%%8P
zNPQH+ZB$^1etNR^zfw;N;&4wQO8s=dLu?X}31)4d0TZ}<sxAei{<WS8DkznEsGxw8
z)b3G>q12|v+EW5)GH~I95uaJvKz{QEvA^*sZ@mQR#e>ZU7(~phT976yr03CO%@0dt
zxfS9wD^3GQ*GmUBeoi2LnPztVZk%i>m^_S5gV#v@_b6=6iOl_p%*#lh^h{U(QH^}q
qAvzXq>*gfGvW3xXUhLZ8h}b?~G93G0)x%voJ}wcNhPU)?z4Ql$s7wg}

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
new file mode 100644
index 0000000000..2123dc1d45
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
@@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -r $TRACES/socks-auth.pcap %INPUT
+# @TEST-EXEC: btest-diff socks.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/protocols/socks

From 0253f49a9433766bcbe3530a9a63f80592d0504c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 6 Feb 2015 16:54:01 -0600
Subject: [PATCH 029/109] broker integration: adapt to change in
 expiration_time

---
 aux/broker         |  2 +-
 src/comm/store.bif | 20 +++++++++++++-------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/aux/broker b/aux/broker
index 0760c6808c..b0d97b1fcb 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 0760c6808c1d035b7e9f484daefe8ba0a3d6ee13
+Subproject commit b0d97b1fcbdcb9027bd34031c8706be0c0ab315b
diff --git a/src/comm/store.bif b/src/comm/store.bif
index 7d09704d31..18e63282e8 100644
--- a/src/comm/store.bif
+++ b/src/comm/store.bif
@@ -108,20 +108,26 @@ function Store::insert%(h: opaque of Store::Handle,
 	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
 	auto& val = comm::opaque_field_to_data(v->AsRecordVal(), frame);
 
-	broker::util::optional<broker::store::expiration_time> expiry;
+	using broker::store::expiration_time;
+	broker::util::optional<expiration_time> expiry;
 
 	auto abs_expiry_val = e->AsRecordVal()->Lookup(0);
-	auto rel_expiry_val = e->AsRecordVal()->Lookup(1);
 
 	if ( abs_expiry_val )
 		{
-		auto tag = broker::store::expiration_time::tag::absolute;
-		expiry = broker::store::expiration_time(abs_expiry_val->AsTime(), tag);
+		expiry = expiration_time(abs_expiry_val->AsTime());
+		handle->store->insert(key, val, expiry);
+		return new Val(true, TYPE_BOOL);
 		}
-	else if ( rel_expiry_val )
+
+	auto rel_expiry_val = e->AsRecordVal()->Lookup(1);
+
+	if ( rel_expiry_val )
 		{
-		auto tag = broker::store::expiration_time::tag::since_last_modification;
-		expiry = broker::store::expiration_time(rel_expiry_val->AsInterval(), tag);
+		auto ct = broker::time_point::now().value;
+		expiry = expiration_time(rel_expiry_val->AsInterval(), ct);
+		handle->store->insert(key, val, expiry);
+		return new Val(true, TYPE_BOOL);
 		}
 
 	handle->store->insert(key, val, expiry);

From 530c3c0c6b19fe0e708a076a79567f9fa8334216 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 8 Feb 2015 18:20:38 -0800
Subject: [PATCH 030/109] Changing load order for plugin scripts.

This can be need if they depends on each other.
---
 src/plugin/Manager.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 2ca34d94f3..ab0b85676b 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -172,7 +172,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 	// Load {bif,scripts}/__load__.bro automatically.
 
-	string init = dir + "scripts/__load__.bro";
+	string init = dir + "lib/bif/__load__.bro";
 
 	if ( is_file(init) )
 		{
@@ -180,7 +180,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 		scripts_to_load.push_back(init);
 		}
 
-	init = dir + "lib/bif/__load__.bro";
+	init = dir + "scripts/__load__.bro";
 
 	if ( is_file(init) )
 		{

From 23b9705a7bbd6333b767b8908be2ddcf7017b5a5 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 8 Feb 2015 18:21:23 -0800
Subject: [PATCH 031/109] Fixing analyzer tag types for some Files::*
 functions.

---
 CHANGES                                |  6 ++++++
 VERSION                                |  2 +-
 scripts/base/frameworks/files/main.bro | 22 +++++++++++-----------
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/CHANGES b/CHANGES
index d1031765cc..3367c878cd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.3-413 | 2015-02-08 18:23:05 -0800
+
+  * Fixing analyzer tag types for some Files::* functions. (Robin Sommer)
+
+  * Changing load order for plugin scripts. (Robin Sommer)
+
 2.3-411 | 2015-02-05 10:05:48 -0600
 
   * Fix file analysis of files with total size below the bof_buffer size
diff --git a/VERSION b/VERSION
index defa33cc31..fca56f2eeb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-411
+2.3-413
diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index e335d4be9d..94a46578c0 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -267,7 +267,7 @@ export {
 	## mts: The set of MIME types, each in the form "foo/bar" (case-insensitive).
 	##
 	## Returns: True if the MIME types were successfully registered.
-	global register_for_mime_types: function(tag: Analyzer::Tag, mts: set[string]) : bool;
+	global register_for_mime_types: function(tag: Files::Tag, mts: set[string]) : bool;
 
 	## Registers a MIME type for an analyzer. If a future file with this type is seen,
 	## the analyzer will be automatically assigned to parsing it. The function *adds*
@@ -278,20 +278,20 @@ export {
 	## mt: The MIME type in the form "foo/bar" (case-insensitive).
 	##
 	## Returns: True if the MIME type was successfully registered.
-	global register_for_mime_type: function(tag: Analyzer::Tag, mt: string) : bool;
+	global register_for_mime_type: function(tag: Files::Tag, mt: string) : bool;
 
 	## Returns a set of all MIME types currently registered for a specific analyzer.
 	##
 	## tag: The tag of the analyzer.
 	##
 	## Returns: The set of MIME types.
-	global registered_mime_types: function(tag: Analyzer::Tag) : set[string];
+	global registered_mime_types: function(tag: Files::Tag) : set[string];
 
 	## Returns a table of all MIME-type-to-analyzer mappings currently registered.
 	##
 	## Returns: A table mapping each analyzer to the set of MIME types
 	##          registered for it.
-	global all_registered_mime_types: function() : table[Analyzer::Tag] of set[string];
+	global all_registered_mime_types: function() : table[Files::Tag] of set[string];
 
 	## Event that can be handled to access the Info record as it is sent on
 	## to the logging framework.
@@ -306,8 +306,8 @@ redef record fa_file += {
 global registered_protocols: table[Analyzer::Tag] of ProtoRegistration = table();
 
 # Store the MIME type to analyzer mappings.
-global mime_types: table[Analyzer::Tag] of set[string];
-global mime_type_to_analyzers: table[string] of set[Analyzer::Tag];
+global mime_types: table[Files::Tag] of set[string];
+global mime_type_to_analyzers: table[string] of set[Files::Tag];
 
 global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table();
 
@@ -401,7 +401,7 @@ function register_protocol(tag: Analyzer::Tag, reg: ProtoRegistration): bool
 	return result;
 	}
 
-function register_for_mime_types(tag: Analyzer::Tag, mime_types: set[string]) : bool
+function register_for_mime_types(tag: Files::Tag, mime_types: set[string]) : bool
 	{
 	local rc = T;
 
@@ -414,7 +414,7 @@ function register_for_mime_types(tag: Analyzer::Tag, mime_types: set[string]) :
 	return rc;
 	}
 
-function register_for_mime_type(tag: Analyzer::Tag, mt: string) : bool
+function register_for_mime_type(tag: Files::Tag, mt: string) : bool
 	{
 	if ( tag !in mime_types )
 		{
@@ -431,12 +431,12 @@ function register_for_mime_type(tag: Analyzer::Tag, mt: string) : bool
 	return T;
 	}
 
-function registered_mime_types(tag: Analyzer::Tag) : set[string]
+function registered_mime_types(tag: Files::Tag) : set[string]
 	{
 	return tag in mime_types ? mime_types[tag] : set();
 	}
 
-function all_registered_mime_types(): table[Analyzer::Tag] of set[string]
+function all_registered_mime_types(): table[Files::Tag] of set[string]
 	{
 	return mime_types;
 	}
@@ -451,7 +451,7 @@ function describe(f: fa_file): string
 	return handler$describe(f);
 	}
 
-event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool) &priority=5
+event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5
 	{
 	if ( tag !in registered_protocols )
 		return;

From 5f0a27ca31443ee3c308e49ff5b6e6b1c2fec963 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 9 Feb 2015 12:10:49 -0800
Subject: [PATCH 032/109] Submodule update - newest sqlite version

---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 7e15efe9d2..f2e34d731e 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 7e15efe9d28d46bfa662fcdd1cbb15ce1db285c9
+Subproject commit f2e34d731ed29bb993fbb065846faa342a8c824f

From afc5767165eb6357c9564937e7975759ce76258c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 9 Feb 2015 15:48:42 -0600
Subject: [PATCH 033/109] broker integration: add events for incoming
 connection status updates

e.g. for the listen() side of connections to tell when peers have
connected or disconnected.
---
 aux/broker                                    |  2 +-
 src/comm/Manager.cc                           | 74 +++++++++++++------
 src/comm/comm.bif                             | 53 +++++++++++++
 src/comm/messaging.bif                        | 49 ------------
 .../comm.connection_updates/recv.recv.out     |  2 +
 .../comm.connection_updates/send.send.out     |  1 +
 .../Baseline/comm.remote_event/send.send.out  |  2 +-
 .../Baseline/comm.remote_log/send.send.out    |  2 +-
 .../Baseline/comm.remote_print/send.send.out  |  2 +-
 testing/btest/comm/clone_store.bro            |  6 +-
 testing/btest/comm/connection_updates.bro     | 55 ++++++++++++++
 testing/btest/comm/remote_event.test          |  8 +-
 testing/btest/comm/remote_log.test            |  8 +-
 testing/btest/comm/remote_print.test          |  8 +-
 14 files changed, 182 insertions(+), 90 deletions(-)
 create mode 100644 testing/btest/Baseline/comm.connection_updates/recv.recv.out
 create mode 100644 testing/btest/Baseline/comm.connection_updates/send.send.out
 create mode 100644 testing/btest/comm/connection_updates.bro

diff --git a/aux/broker b/aux/broker
index b0d97b1fcb..4fae86cd67 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit b0d97b1fcbdcb9027bd34031c8706be0c0ab315b
+Subproject commit 4fae86cd67b999f48a2f2f354c91e4b1b343b2a1
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 7db80ebb40..1dc7cc5415 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -8,6 +8,7 @@
 #include "util.h"
 #include "Var.h"
 #include "Reporter.h"
+#include "comm/comm.bif.h"
 #include "comm/data.bif.h"
 #include "comm/messaging.bif.h"
 #include "comm/store.bif.h"
@@ -444,7 +445,8 @@ int comm::Manager::GetFlags(Val* flags)
 void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
                            iosource::FD_Set* except)
 	{
-	read->Insert(endpoint->peer_status().fd());
+	read->Insert(endpoint->outgoing_connection_status().fd());
+	read->Insert(endpoint->incoming_connection_status().fd());
 
 	for ( const auto& ps : print_subscriptions )
 		read->Insert(ps.second.fd());
@@ -523,57 +525,85 @@ static RecordVal* response_to_val(broker::store::response r)
 void comm::Manager::Process()
 	{
 	bool idle = true;
-	auto peer_status_updates = endpoint->peer_status().want_pop();
+	auto outgoing_connection_updates =
+	        endpoint->outgoing_connection_status().want_pop();
+	auto incoming_connection_updates =
+	        endpoint->incoming_connection_status().want_pop();
 
-	if ( ! peer_status_updates.empty() )
+	for ( auto& u : outgoing_connection_updates )
+		{
 		idle = false;
 
-	for ( auto& u : peer_status_updates )
-		{
-		if ( ! u.relation.remote() )
-			continue;
-
 		switch ( u.status ) {
-		case broker::peer_status::tag::established:
-			if ( Comm::remote_connection_established )
+		case broker::outgoing_connection_status::tag::established:
+			if ( Comm::outgoing_connection_established )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Comm::remote_connection_established, vl);
+				mgr.QueueEvent(Comm::outgoing_connection_established, vl);
 				}
-
 			break;
 
-		case broker::peer_status::tag::disconnected:
-			if ( Comm::remote_connection_broken )
+		case broker::outgoing_connection_status::tag::disconnected:
+			if ( Comm::outgoing_connection_broken )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Comm::remote_connection_broken, vl);
+				mgr.QueueEvent(Comm::outgoing_connection_broken, vl);
 				}
-
 			break;
 
-		case broker::peer_status::tag::incompatible:
-			if ( Comm::remote_connection_incompatible )
+		case broker::outgoing_connection_status::tag::incompatible:
+			if ( Comm::outgoing_connection_incompatible )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Comm::remote_connection_incompatible, vl);
+				mgr.QueueEvent(Comm::outgoing_connection_incompatible, vl);
 				}
-
 			break;
 
 		default:
-			reporter->InternalWarning("unknown broker::peer_status::tag : %d",
-			                          static_cast<int>(u.status));
+			reporter->InternalWarning(
+			            "unknown broker::outgoing_connection_status::tag : %d",
+			            static_cast<int>(u.status));
+			break;
+		}
+		}
+
+	for ( auto& u : incoming_connection_updates )
+		{
+		idle = false;
+
+		switch ( u.status ) {
+		case broker::incoming_connection_status::tag::established:
+			if ( Comm::incoming_connection_established )
+				{
+				val_list* vl = new val_list;
+				vl->append(new StringVal(u.peer_name));
+				mgr.QueueEvent(Comm::incoming_connection_established, vl);
+				}
+			break;
+
+		case broker::incoming_connection_status::tag::disconnected:
+			if ( Comm::incoming_connection_broken )
+				{
+				val_list* vl = new val_list;
+				vl->append(new StringVal(u.peer_name));
+				mgr.QueueEvent(Comm::incoming_connection_broken, vl);
+				}
+			break;
+
+		default:
+			reporter->InternalWarning(
+			            "unknown broker::incoming_connection_status::tag : %d",
+			            static_cast<int>(u.status));
 			break;
 		}
 		}
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index 7f8d85b720..e87c6c1144 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -11,3 +11,56 @@ function Comm::enable%(%): bool
 	%{
 	return new Val(comm_mgr->Enable(), TYPE_BOOL);
 	%}
+
+event Comm::outgoing_connection_established%(peer_address: string,
+                                             peer_port: port,
+                                             peer_name: string%);
+
+event Comm::outgoing_connection_broken%(peer_address: string,
+                                        peer_port: port%);
+
+event Comm::outgoing_connection_incompatible%(peer_address: string,
+                                              peer_port: port%);
+
+event Comm::incoming_connection_established%(peer_name: string%);
+
+event Comm::incoming_connection_broken%(peer_name: string%);
+
+function Comm::listen%(p: port, a: string &default = "",
+					   reuse: bool &default = T%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("listen port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
+								 reuse);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::connect%(a: string, p: port, retry: interval%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("remote connection port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Connect(a->CheckString(), p->Port(),
+	                              std::chrono::duration<double>(retry));
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+function Comm::disconnect%(a: string, p: port%): bool
+	%{
+	if ( ! p->IsTCP() )
+		{
+		reporter->Error("remote connection port must use tcp");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
+	return new Val(rval, TYPE_BOOL);
+	%}
diff --git a/src/comm/messaging.bif b/src/comm/messaging.bif
index f5034f842f..26f9497449 100644
--- a/src/comm/messaging.bif
+++ b/src/comm/messaging.bif
@@ -12,55 +12,6 @@ type Comm::SendFlags: record;
 
 type Comm::EventArgs: record;
 
-event Comm::remote_connection_established%(peer_address: string,
-                                           peer_port: port,
-                                           peer_name: string%);
-
-event Comm::remote_connection_broken%(peer_address: string,
-                                      peer_port: port%);
-
-event Comm::remote_connection_incompatible%(peer_address: string,
-                                            peer_port: port%);
-
-function Comm::listen%(p: port, a: string &default = "",
-					   reuse: bool &default = T%): bool
-	%{
-	if ( ! p->IsTCP() )
-		{
-		reporter->Error("listen port must use tcp");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
-								 reuse);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::connect%(a: string, p: port, retry: interval%): bool
-	%{
-	if ( ! p->IsTCP() )
-		{
-		reporter->Error("remote connection port must use tcp");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	auto rval = comm_mgr->Connect(a->CheckString(), p->Port(),
-	                              std::chrono::duration<double>(retry));
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Comm::disconnect%(a: string, p: port%): bool
-	%{
-	if ( ! p->IsTCP() )
-		{
-		reporter->Error("remote connection port must use tcp");
-		return new Val(false, TYPE_BOOL);
-		}
-
-	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
 event Comm::print_handler%(msg: string%);
 
 function Comm::print%(topic: string, msg: string,
diff --git a/testing/btest/Baseline/comm.connection_updates/recv.recv.out b/testing/btest/Baseline/comm.connection_updates/recv.recv.out
new file mode 100644
index 0000000000..3f2a1a9670
--- /dev/null
+++ b/testing/btest/Baseline/comm.connection_updates/recv.recv.out
@@ -0,0 +1,2 @@
+Comm::incoming_connection_established, connector
+Comm::incoming_connection_broken, connector
diff --git a/testing/btest/Baseline/comm.connection_updates/send.send.out b/testing/btest/Baseline/comm.connection_updates/send.send.out
new file mode 100644
index 0000000000..e23422e320
--- /dev/null
+++ b/testing/btest/Baseline/comm.connection_updates/send.send.out
@@ -0,0 +1 @@
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/comm.remote_event/send.send.out
index ef1f7bc7e1..9fbb21f245 100644
--- a/testing/btest/Baseline/comm.remote_event/send.send.out
+++ b/testing/btest/Baseline/comm.remote_event/send.send.out
@@ -1,4 +1,4 @@
-Comm::remote_connection_established, 127.0.0.1, 9999/tcp
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/comm.remote_log/send.send.out b/testing/btest/Baseline/comm.remote_log/send.send.out
index 0968e6beb9..e2415290d6 100644
--- a/testing/btest/Baseline/comm.remote_log/send.send.out
+++ b/testing/btest/Baseline/comm.remote_log/send.send.out
@@ -1 +1 @@
-Comm::remote_connection_established, 127.0.0.1, 9999/tcp
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/comm.remote_print/send.send.out
index 982ee993f6..fc5996194d 100644
--- a/testing/btest/Baseline/comm.remote_print/send.send.out
+++ b/testing/btest/Baseline/comm.remote_print/send.send.out
@@ -1,4 +1,4 @@
-Comm::remote_connection_established, 127.0.0.1, 9999/tcp
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got print msg, pong 0
 got print msg, pong 1
 got print msg, pong 2
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index 3ea0347024..7a8ccb3a56 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -81,9 +81,9 @@ event done()
 	terminate();
 	}
 
-event Comm::remote_connection_established(peer_address: string,
-                                          peer_port: port,
-                                          peer_name: string)
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/comm/connection_updates.bro
new file mode 100644
index 0000000000..a1e8c517d2
--- /dev/null
+++ b/testing/btest/comm/connection_updates.bro
@@ -0,0 +1,55 @@
+# @TEST_SERIALIZE: brokercomm
+# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(9999/tcp, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;;
+	}
+
+event Comm::incoming_connection_broken(peer_name: string)
+	{
+	print "Comm::incoming_connection_broken", peer_name;;
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", 9999/tcp, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;;
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index f44ed0df10..fc34ad79ec 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -55,11 +55,11 @@ event bro_init()
 
 global event_count = 0;
 
-event Comm::remote_connection_established(peer_address: string,
-                                          peer_port: port,
-                                          peer_name: string)
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
 	{
-	print "Comm::remote_connection_established", peer_address, peer_port;
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
 	local args = Comm::event_args(event_handler, "ping", event_count);
 	Comm::event("bro/event/hi", args);
 	++event_count;
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index 7cdc2ab97d..47227e2fba 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -77,11 +77,11 @@ event do_write()
 		}
 	}
 
-event Comm::remote_connection_established(peer_address: string,
-                                          peer_port: port,
-                                          peer_name: string)
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
 	{
-	print "Comm::remote_connection_established", peer_address, peer_port;
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
 	event do_write();
 	}
 
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
index 03e7517f20..28e5bccc95 100644
--- a/testing/btest/comm/remote_print.test
+++ b/testing/btest/comm/remote_print.test
@@ -46,11 +46,11 @@ event bro_init()
 
 global n = 0;
 
-event Comm::remote_connection_established(peer_address: string,
-                                          peer_port: port,
-                                          peer_name: string)
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
 	{
-	print "Comm::remote_connection_established", peer_address, peer_port;
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
 	Comm::print("bro/print/hi", fmt("ping %d", n));
 	++n;
 	}

From cfb666af2be257994584edd0ea68a8277c22ff27 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 9 Feb 2015 16:01:31 -0600
Subject: [PATCH 034/109] broker integration: move listen port for unit tests
 to a btest variable

Later, this might be something btest itself could provide to help
parallelize communication tests.  E.g. unit tests requests a unique
number from some range and btest coordinates the distribution of those
among all tests.
---
 testing/btest/btest.cfg                   |  1 +
 testing/btest/comm/clone_store.bro        | 10 ++++++----
 testing/btest/comm/connection_updates.bro | 10 ++++++----
 testing/btest/comm/remote_event.test      | 10 ++++++----
 testing/btest/comm/remote_log.test        | 10 ++++++----
 testing/btest/comm/remote_print.test      | 10 ++++++----
 6 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 2eea514357..3c91872f5a 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -25,3 +25,4 @@ TMPDIR=%(testbase)s/.tmp
 BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
+BROKER_PORT=9999/tcp
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index 7a8ccb3a56..44ef0683cf 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -1,8 +1,8 @@
 # @TEST_SERIALIZE: brokercomm
 # @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro >master.out"
+# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
@@ -10,6 +10,7 @@
 
 @TEST-START-FILE clone.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global h: opaque of Store::Handle;
@@ -54,7 +55,7 @@ event ready()
 event bro_init()
 	{
 	Comm::enable();
-	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/ready");
 	Comm::auto_event("bro/event/done", done);
 	}
@@ -63,6 +64,7 @@ event bro_init()
 
 @TEST-START-FILE master.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global h: opaque of Store::Handle;
@@ -108,7 +110,7 @@ event Comm::outgoing_connection_established(peer_address: string,
 event bro_init()
 	{
 	Comm::enable();
-	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	Comm::connect("127.0.0.1", broker_port, 1secs);
 	Comm::auto_event("bro/event/ready", ready);
 	Comm::subscribe_to_events("bro/event/done");
 	}
diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/comm/connection_updates.bro
index a1e8c517d2..d6f4c99fa3 100644
--- a/testing/btest/comm/connection_updates.bro
+++ b/testing/btest/comm/connection_updates.bro
@@ -1,8 +1,8 @@
 # @TEST_SERIALIZE: brokercomm
 # @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -10,13 +10,14 @@
 
 @TEST-START-FILE recv.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 redef Comm::endpoint_name = "listener";
 
 event bro_init()
 	{
 	Comm::enable();
-	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::listen(broker_port, "127.0.0.1");
 	}
 
 event Comm::incoming_connection_established(peer_name: string)
@@ -34,13 +35,14 @@ event Comm::incoming_connection_broken(peer_name: string)
 
 @TEST-START-FILE send.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 redef Comm::endpoint_name = "connector";
 
 event bro_init()
 	{
 	Comm::enable();
-	Comm::connect("127.0.0.1", 9999/tcp, 1sec);
+	Comm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event Comm::outgoing_connection_established(peer_address: string,
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index fc34ad79ec..aeced18eea 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -1,8 +1,8 @@
 # @TEST_SERIALIZE: brokercomm
 # @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -10,6 +10,7 @@
 
 @TEST-START-FILE recv.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global event_handler: event(msg: string, c: count);
@@ -18,7 +19,7 @@ global auto_event_handler: event(msg: string, c: count);
 event bro_init()
 	{
 	Comm::enable();
-	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/");
 	Comm::auto_event("bro/event/my_topic", auto_event_handler);
 	}
@@ -41,6 +42,7 @@ event event_handler(msg: string, n: count)
 
 @TEST-START-FILE send.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global event_handler: event(msg: string, c: count);
@@ -50,7 +52,7 @@ event bro_init()
 	{
 	Comm::enable();
 	Comm::subscribe_to_events("bro/event/my_topic");
-	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	Comm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global event_count = 0;
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index 47227e2fba..2a6174810e 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -1,8 +1,8 @@
 # @TEST_SERIALIZE: brokercomm
 # @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro >send.out"
+# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -35,11 +35,12 @@ event bro_init() &priority=5
 
 @TEST-START-FILE recv.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_logs("bro/log/");
 	}
 
@@ -55,12 +56,13 @@ event Test::log_test(rec: Test::Info)
 
 @TEST-START-FILE send.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
 	Comm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	Comm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global n = 0;
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
index 28e5bccc95..0c32e2c1fe 100644
--- a/testing/btest/comm/remote_print.test
+++ b/testing/btest/comm/remote_print.test
@@ -1,8 +1,8 @@
 # @TEST_SERIALIZE: brokercomm
 # @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -10,12 +10,13 @@
 
 @TEST-START-FILE recv.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
 	Comm::enable();
-	Comm::listen(9999/tcp, "127.0.0.1");
+	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_prints("bro/print/");
 	}
 
@@ -35,13 +36,14 @@ event Comm::print_handler(msg: string)
 
 @TEST-START-FILE send.bro
 
+const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
 	Comm::enable();
 	Comm::subscribe_to_prints("bro/print/my_topic");
-	Comm::connect("127.0.0.1", 9999/tcp, 1secs);
+	Comm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global n = 0;

From ebc9407a2b28c81522a00063290e77c99a31c6e6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 9 Feb 2015 16:18:46 -0600
Subject: [PATCH 035/109] broker integration: add knobs to set auto
 publish/advertise behavior

---
 scripts/base/frameworks/comm/main.bro |  5 ++++
 src/comm/Manager.cc                   | 33 +++++++++++++++++++++++++--
 src/comm/Manager.h                    |  4 +++-
 src/comm/comm.bif                     | 11 +++++++--
 4 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index a2cd1f6ac0..66dc1715f4 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -5,6 +5,11 @@ export {
 
 	const endpoint_name = "" &redef;
 
+	type EndpointFlags: record {
+		auto_publish: bool &default = T;
+		auto_advertise: bool &default = T;
+	};
+
 	type SendFlags: record {
 		self: bool &default = F;
 		peers: bool &default = T;
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 1dc7cc5415..832718b595 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -41,7 +41,25 @@ static int require_field(RecordType* rt, const char* name)
 	return rval;
 	}
 
-bool comm::Manager::Enable()
+static int GetEndpointFlags(Val* broker_endpoint_flags)
+	{
+	int rval = 0;
+	auto r = broker_endpoint_flags->AsRecordVal();
+	Val* auto_publish_flag = r->Lookup("auto_publish", true);
+	Val* auto_advertise_flag = r->Lookup("auto_advertise", true);
+
+	if ( auto_publish_flag->AsBool() )
+		rval |= broker::AUTO_PUBLISH;
+
+	if ( auto_advertise_flag->AsBool() )
+		rval |= broker::AUTO_ADVERTISE;
+
+	Unref(auto_publish_flag);
+	Unref(auto_advertise_flag);
+	return rval;
+	}
+
+bool comm::Manager::Enable(Val* broker_endpoint_flags)
 	{
 	if ( endpoint != nullptr )
 		return true;
@@ -93,11 +111,22 @@ bool comm::Manager::Enable()
 			name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
 		}
 
-	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name));
+	int flags = GetEndpointFlags(broker_endpoint_flags);
+	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name, flags));
 	iosource_mgr->Register(this, true);
 	return true;
 	}
 
+bool comm::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	int flags = GetEndpointFlags(broker_endpoint_flags);
+	endpoint->set_flags(flags);
+	return true;
+	}
+
 bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
 	{
 	if ( ! Enabled() )
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 2317ecea2c..ef1532fbc8 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -24,7 +24,9 @@ public:
 
 	~Manager();
 
-	bool Enable();
+	bool Enable(Val* flags);
+
+	bool SetEndpointFlags(Val* flags);
 
 	bool Enabled()
 		{ return endpoint != nullptr; }
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index e87c6c1144..aa7efac472 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -7,9 +7,16 @@
 
 module Comm;
 
-function Comm::enable%(%): bool
+type Comm::EndpointFlags: record;
+
+function Comm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool
 	%{
-	return new Val(comm_mgr->Enable(), TYPE_BOOL);
+	return new Val(comm_mgr->Enable(flags), TYPE_BOOL);
+	%}
+
+function Comm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool
+	%{
+	return new Val(comm_mgr->SetEndpointFlags(flags), TYPE_BOOL);
 	%}
 
 event Comm::outgoing_connection_established%(peer_address: string,

From bdf21c054a5a74408d456446afd009aa2c5f04b7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 10 Feb 2015 09:51:57 -0600
Subject: [PATCH 036/109] broker integration: add (un)publish/(un)advertise
 functions

For when one wants to manually tune pub/sub behavior instead of use the
default automatic settings of allowing publication to all peers and
advertising all subscriptions to all peers.
---
 src/comm/Manager.cc | 36 ++++++++++++++++++++++++++++++++++++
 src/comm/Manager.h  |  8 ++++++++
 src/comm/comm.bif   | 20 ++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 832718b595..6c09c08f2b 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -448,6 +448,42 @@ bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix)
 	return log_subscriptions.erase(topic_prefix);
 	}
 
+bool comm::Manager::PublishTopic(broker::topic t)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	endpoint->publish(move(t));
+	return true;
+	}
+
+bool comm::Manager::UnpublishTopic(broker::topic t)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	endpoint->unpublish(move(t));
+	return true;
+	}
+
+bool comm::Manager::AdvertiseTopic(broker::topic t)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	endpoint->advertise(move(t));
+	return true;
+	}
+
+bool comm::Manager::UnadvertiseTopic(broker::topic t)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	endpoint->unadvertise(move(t));
+	return true;
+	}
+
 int comm::Manager::GetFlags(Val* flags)
 	{
 	auto r = flags->AsRecordVal();
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index ef1532fbc8..e8a8d5e5b1 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -64,6 +64,14 @@ public:
 
 	bool UnsubscribeToLogs(const std::string& topic_prefix);
 
+	bool PublishTopic(broker::topic t);
+
+	bool UnpublishTopic(broker::topic t);
+
+	bool AdvertiseTopic(broker::topic t);
+
+	bool UnadvertiseTopic(broker::topic t);
+
 	bool AddStore(StoreHandleVal* handle);
 
 	StoreHandleVal* LookupStore(const broker::store::identifier& id, StoreType type);
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index aa7efac472..1d41b572f6 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -19,6 +19,26 @@ function Comm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags
 	return new Val(comm_mgr->SetEndpointFlags(flags), TYPE_BOOL);
 	%}
 
+function Comm::publish_topic%(topic: string%): bool
+	%{
+	return new Val(comm_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
+	%}
+
+function Comm::unpublish_topic%(topic: string%): bool
+	%{
+	return new Val(comm_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
+	%}
+
+function Comm::advertise_topic%(topic: string%): bool
+	%{
+	return new Val(comm_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
+	%}
+
+function Comm::unadvertise_topic%(topic: string%): bool
+	%{
+	return new Val(comm_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
+	%}
+
 event Comm::outgoing_connection_established%(peer_address: string,
                                              peer_port: port,
                                              peer_name: string%);

From fc36777e66c71fb975b344a8930bd7980b4f5e9f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 10 Feb 2015 12:34:47 -0600
Subject: [PATCH 037/109] Add --enable-c++11 configure flag.

And try to detect that compiler version is sufficient for C++11 support.
--enable-broker implies --enable-c++11
---
 CMakeLists.txt | 5 ++++-
 aux/broker     | 2 +-
 cmake          | 2 +-
 configure      | 5 +++++
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index b31e60ac01..28ebc8b568 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -177,8 +177,11 @@ include_directories(${CMAKE_CURRENT_BINARY_DIR})
 ########################################################################
 ## Recurse on sub-directories
 
+if ( ENABLE_CXX11 )
+    include(RequireCXX11)
+endif ()
+
 if ( ENABLE_BROKER )
-    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
     add_subdirectory(aux/broker)
     set(brodeps ${brodeps} broker)
     add_definitions(-DENABLE_BROKER)
diff --git a/aux/broker b/aux/broker
index 4fae86cd67..0af74017e2 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 4fae86cd67b999f48a2f2f354c91e4b1b343b2a1
+Subproject commit 0af74017e28d78179a25d60ca80385af444d39f1
diff --git a/cmake b/cmake
index c2057b7f15..532dd04e8c 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c2057b7f15dedc27641a50312384505ce4f2112c
+Subproject commit 532dd04e8c5027c613a65ea10bcdbaf5e876fcfa
diff --git a/configure b/configure
index 6235aba7dd..3f7295711c 100755
--- a/configure
+++ b/configure
@@ -41,6 +41,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
     --enable-ruby          build ruby bindings for broccoli (deprecated)
+    --enable-c++11         build using the C++11 standard
     --enable-broker        enable use of the Broker communication library
                            (requires C++ Actor Framework and C++11)
     --disable-broccoli     don't build or install the Broccoli library
@@ -182,7 +183,11 @@ while [ $# -ne 0 ]; do
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
+        --enable-c++11)
+            append_cache_entry ENABLE_CXX11         BOOL   true
+            ;;
         --enable-broker)
+            append_cache_entry ENABLE_CXX11         BOOL   true
             append_cache_entry ENABLE_BROKER        BOOL   true
             ;;
         --disable-broccoli)

From 6d868d83bea1df0c149704f05361768456231315 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 10 Feb 2015 13:44:04 -0600
Subject: [PATCH 038/109] broker integration: fix unit tests to work when
 broker is not enabled.

---
 src/CMakeLists.txt                        |  4 ++++
 src/comm-dummy/CMakeLists.txt             | 13 +++++++++++++
 src/comm-dummy/comm.bif                   |  3 +++
 src/comm-dummy/data.bif                   |  3 +++
 src/comm-dummy/messaging.bif              |  3 +++
 src/comm-dummy/store.bif                  |  3 +++
 testing/btest/comm/clone_store.bro        |  4 ++--
 testing/btest/comm/connection_updates.bro |  4 ++--
 testing/btest/comm/data.bro               |  2 ++
 testing/btest/comm/master_store.bro       |  2 ++
 testing/btest/comm/remote_event.test      |  4 ++--
 testing/btest/comm/remote_log.test        |  4 ++--
 testing/btest/comm/remote_print.test      |  4 ++--
 13 files changed, 43 insertions(+), 10 deletions(-)
 create mode 100644 src/comm-dummy/CMakeLists.txt
 create mode 100644 src/comm-dummy/comm.bif
 create mode 100644 src/comm-dummy/data.bif
 create mode 100644 src/comm-dummy/messaging.bif
 create mode 100644 src/comm-dummy/store.bif

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 55ca12c873..323fb6f023 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -163,6 +163,10 @@ add_subdirectory(probabilistic)
 
 if ( ENABLE_BROKER )
     add_subdirectory(comm)
+else ()
+    # Just to satisfy coverage unit tests until new Broker-based
+    # communication is enabled by default.
+    add_subdirectory(comm-dummy)
 endif ()
 
 set(bro_SUBDIRS
diff --git a/src/comm-dummy/CMakeLists.txt b/src/comm-dummy/CMakeLists.txt
new file mode 100644
index 0000000000..cddea1342d
--- /dev/null
+++ b/src/comm-dummy/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Placeholder for Broker-based communication functionality, not enabled
+# by default.  This helps satisfy coverage unit tests pass regardless of
+# whether Broker is enabled or not.
+
+include(BroSubdir)
+
+bif_target(comm.bif)
+bif_target(data.bif)
+bif_target(messaging.bif)
+bif_target(store.bif)
+
+bro_add_subdir_library(comm_dummy ${BIF_OUTPUT_CC})
+add_dependencies(bro_comm_dummy generate_outputs)
diff --git a/src/comm-dummy/comm.bif b/src/comm-dummy/comm.bif
new file mode 100644
index 0000000000..b030a4cc73
--- /dev/null
+++ b/src/comm-dummy/comm.bif
@@ -0,0 +1,3 @@
+
+##! Placeholder for Broker-based communication functionality, not enabled
+##! by default.
diff --git a/src/comm-dummy/data.bif b/src/comm-dummy/data.bif
new file mode 100644
index 0000000000..e9b9950474
--- /dev/null
+++ b/src/comm-dummy/data.bif
@@ -0,0 +1,3 @@
+
+##! Placeholder for Broker-based communication functionality, not enabled
+##! by default
diff --git a/src/comm-dummy/messaging.bif b/src/comm-dummy/messaging.bif
new file mode 100644
index 0000000000..e9b9950474
--- /dev/null
+++ b/src/comm-dummy/messaging.bif
@@ -0,0 +1,3 @@
+
+##! Placeholder for Broker-based communication functionality, not enabled
+##! by default
diff --git a/src/comm-dummy/store.bif b/src/comm-dummy/store.bif
new file mode 100644
index 0000000000..e9b9950474
--- /dev/null
+++ b/src/comm-dummy/store.bif
@@ -0,0 +1,3 @@
+
+##! Placeholder for Broker-based communication functionality, not enabled
+##! by default
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index 44ef0683cf..da05f45210 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -1,5 +1,5 @@
-# @TEST_SERIALIZE: brokercomm
-# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
 # @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/comm/connection_updates.bro
index d6f4c99fa3..67f66646c9 100644
--- a/testing/btest/comm/connection_updates.bro
+++ b/testing/btest/comm/connection_updates.bro
@@ -1,5 +1,5 @@
-# @TEST_SERIALIZE: brokercomm
-# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/comm/data.bro b/testing/btest/comm/data.bro
index dfbb8fc1d7..a7de41be7a 100644
--- a/testing/btest/comm/data.bro
+++ b/testing/btest/comm/data.bro
@@ -1,3 +1,5 @@
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
 # @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
diff --git a/testing/btest/comm/master_store.bro b/testing/btest/comm/master_store.bro
index a1cc6a8c95..61331bd170 100644
--- a/testing/btest/comm/master_store.bro
+++ b/testing/btest/comm/master_store.bro
@@ -1,3 +1,5 @@
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
 # @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
 
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index aeced18eea..2e7aa02d6a 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -1,5 +1,5 @@
-# @TEST_SERIALIZE: brokercomm
-# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index 2a6174810e..b7dd54abf3 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -1,5 +1,5 @@
-# @TEST_SERIALIZE: brokercomm
-# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
index 0c32e2c1fe..4cf9d9b489 100644
--- a/testing/btest/comm/remote_print.test
+++ b/testing/btest/comm/remote_print.test
@@ -1,5 +1,5 @@
-# @TEST_SERIALIZE: brokercomm
-# @TEST_REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"

From 07cba950b89253a1a9d2857dfcec7744e87fc5ba Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 10 Feb 2015 16:14:49 -0600
Subject: [PATCH 039/109] Fix gcc compile warnings.

---
 aux/broker          |  2 +-
 src/EventHandler.cc |  2 +-
 src/comm/Data.cc    | 10 ++++++----
 src/comm/Manager.cc |  6 +++---
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/aux/broker b/aux/broker
index 0af74017e2..9def853ec4 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 0af74017e28d78179a25d60ca80385af444d39f1
+Subproject commit 9def853ec4498e0133735938355832e0a7628ec8
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index d623f43b66..c252951781 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -94,7 +94,7 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 			msg.emplace_back(Name());
 			bool valid_args = true;
 
-			for ( auto i = 0u; i < vl->length(); ++i )
+			for ( auto i = 0; i < vl->length(); ++i )
 				{
 				auto opt_data = comm::val_to_data((*vl)[i]);
 
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index 0ea7666f9e..77b2a496bf 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -192,7 +192,8 @@ struct val_converter {
 
 			auto expected_index_types = tt->Indices()->Types();
 
-			if ( expected_index_types->length() != indices->size() )
+			if ( static_cast<size_t>(expected_index_types->length()) !=
+			     indices->size() )
 				{
 				Unref(rval);
 				return nullptr;
@@ -244,7 +245,8 @@ struct val_converter {
 
 			auto expected_index_types = tt->Indices()->Types();
 
-			if ( expected_index_types->length() != indices->size() )
+			if ( static_cast<size_t>(expected_index_types->length()) !=
+			     indices->size() )
 				{
 				Unref(rval);
 				return nullptr;
@@ -315,7 +317,7 @@ struct val_converter {
 
 		auto rt = type->AsRecordType();
 
-		if ( a.fields.size() != rt->NumFields() )
+		if ( a.fields.size() != static_cast<size_t>(rt->NumFields()) )
 			return nullptr;
 
 		auto rval = new RecordVal(rt);
@@ -505,7 +507,7 @@ broker::util::optional<broker::data> comm::val_to_data(Val* v)
 		{
 		auto rec = v->AsRecordVal();
 		broker::record rval;
-		auto num_fields = v->Type()->AsRecordType()->NumFields();
+		size_t num_fields = v->Type()->AsRecordType()->NumFields();
 		rval.fields.reserve(num_fields);
 
 		for ( auto i = 0u; i < num_fields; ++i )
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 6c09c08f2b..92b2c167dd 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -322,7 +322,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 	rval->Assign(1, arg_vec);
 	Func* func;
 
-	for ( auto i = 0u; i < args->length(); ++i )
+	for ( auto i = 0; i < args->length(); ++i )
 		{
 		auto arg_val = (*args)[i];
 
@@ -742,7 +742,7 @@ void comm::Manager::Process()
 
 			auto arg_types = ehp->FType()->ArgTypes()->Types();
 
-			if ( arg_types->length() != em.size() - 1 )
+			if ( static_cast<size_t>(arg_types->length()) != em.size() - 1 )
 				{
 				reporter->Warning("got event message with invalid # of args,"
 				                  " got %zd, expected %d", em.size() - 1,
@@ -766,7 +766,7 @@ void comm::Manager::Process()
 					}
 				}
 
-			if ( vl->length() == em.size() - 1 )
+			if ( static_cast<size_t>(vl->length()) == em.size() - 1 )
 				mgr.QueueEvent(ehp, vl);
 			else
 				delete_vals(vl);

From 8e4d37d5c1a24ab385286cb6ee8ba976bccbca00 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Feb 2015 11:21:01 -0600
Subject: [PATCH 040/109] Improve comm tests.

Same old problems: hard to get termination conditions right.
---
 .../Baseline/comm.remote_event/send.send.out  |  2 -
 .../Baseline/comm.remote_print/send.send.out  |  1 -
 testing/btest/comm/clone_store.bro            | 12 ++----
 testing/btest/comm/remote_event.test          | 36 +++++++-----------
 testing/btest/comm/remote_log.test            |  8 +++-
 testing/btest/comm/remote_print.test          | 37 +++++++++++++------
 6 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/comm.remote_event/send.send.out
index 9fbb21f245..0e529e08fc 100644
--- a/testing/btest/Baseline/comm.remote_event/send.send.out
+++ b/testing/btest/Baseline/comm.remote_event/send.send.out
@@ -9,5 +9,3 @@ got event msg, pong, 3
 got auto event msg, ping, 3
 got event msg, pong, 4
 got auto event msg, ping, 4
-got event msg, pong, 5
-got auto event msg, ping, 5
diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/comm.remote_print/send.send.out
index fc5996194d..777afdc0d2 100644
--- a/testing/btest/Baseline/comm.remote_print/send.send.out
+++ b/testing/btest/Baseline/comm.remote_print/send.send.out
@@ -4,4 +4,3 @@ got print msg, pong 1
 got print msg, pong 2
 got print msg, pong 3
 got print msg, pong 4
-got print msg, pong 5
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index da05f45210..5a01a497fd 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -17,11 +17,6 @@ global h: opaque of Store::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
-event done()
-	{
-	terminate();
-	}
-
 function do_lookup(key: string)
 	{
 	when ( local res = Store::lookup(h, Comm::data(key)) )
@@ -30,7 +25,7 @@ function do_lookup(key: string)
 		print "lookup", key, res;
 
 		if ( key_count == expected_key_count )
-			event done();
+			terminate();
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -57,7 +52,6 @@ event bro_init()
 	Comm::enable();
 	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/ready");
-	Comm::auto_event("bro/event/done", done);
 	}
 
 @TEST-END-FILE
@@ -78,7 +72,8 @@ function dv(d: Comm::Data): Comm::DataVector
 
 global ready: event();
 
-event done()
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
 	{
 	terminate();
 	}
@@ -112,7 +107,6 @@ event bro_init()
 	Comm::enable();
 	Comm::connect("127.0.0.1", broker_port, 1secs);
 	Comm::auto_event("bro/event/ready", ready);
-	Comm::subscribe_to_events("bro/event/done");
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index 2e7aa02d6a..31897bea31 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -25,17 +25,22 @@ event bro_init()
 	}
 
 global event_count = 0;
+global events_to_recv = 6;
 
 event event_handler(msg: string, n: count)
 	{
-	event auto_event_handler(msg, n);
-	print "got event msg", msg, n;
-	local args = Comm::event_args(event_handler, "pong", event_count);
-	Comm::event("bro/event/my_topic", args);
 	++event_count;
+	print "got event msg", msg, n;
 
-	if ( n == 5 )
+	if ( event_count == events_to_recv )
+		{
 		terminate();
+		return;
+		}
+
+	event auto_event_handler(msg, n);
+	local args = Comm::event_args(event_handler, "pong", n);
+	Comm::event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -67,13 +72,10 @@ event Comm::outgoing_connection_established(peer_address: string,
 	++event_count;
 	}
 
-global done = F;
-global done_auto = F;
-
-function check_terminate()
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
 	{
-	if ( done && done_auto )
-		terminate();
+	terminate();
 	}
 
 event event_handler(msg: string, n: count)
@@ -82,23 +84,11 @@ event event_handler(msg: string, n: count)
 	local args = Comm::event_args(event_handler, "ping", event_count);
     Comm::event("bro/event/hi", args);
 	++event_count;
-
-	if ( n == 5 )
-		{
-		done = T;
-		check_terminate();
-		}
 	}
 
 event auto_event_handler(msg: string, n: count)
 	{
 	print "got auto event msg", msg, n;
-
-	if ( n == 5 )
-		{
-		done_auto = T;
-		check_terminate();
-		}
 	}
 	
 @TEST-END-FILE
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index b7dd54abf3..42f3f8a594 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -70,7 +70,7 @@ global n = 0;
 event do_write()
 	{
 	if ( n == 6 )
-		terminate();
+		return;
 	else
 		{
 		Log::write(Test::LOG, [$msg = "ping", $num = n]);
@@ -87,4 +87,10 @@ event Comm::outgoing_connection_established(peer_address: string,
 	event do_write();
 	}
 
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
 @TEST-END-FILE
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
index 4cf9d9b489..d77bc92e9c 100644
--- a/testing/btest/comm/remote_print.test
+++ b/testing/btest/comm/remote_print.test
@@ -20,16 +20,23 @@ event bro_init()
 	Comm::subscribe_to_prints("bro/print/");
 	}
 
-global n = 0;
+global messages_to_recv = 6;
+global messages_sent = 0;
+global messages_recv = 0;
 
 event Comm::print_handler(msg: string)
 	{
+	++messages_recv;
 	print "got print msg", msg;
-	Comm::print("bro/print/my_topic", fmt("pong %d", n));
-	++n;
 
-	if ( msg == "ping 5" )
+	if ( messages_to_recv == messages_recv )
+		{
 		terminate();
+		return;
+		}
+
+	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	++messages_sent;
 	}
 
 @TEST-END-FILE
@@ -46,25 +53,31 @@ event bro_init()
 	Comm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
-global n = 0;
+global messages_sent = 0;
+global messages_recv = 0;
+global peer_disconnected = F;
 
 event Comm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	print "Comm::outgoing_connection_established", peer_address, peer_port;
-	Comm::print("bro/print/hi", fmt("ping %d", n));
-	++n;
+	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	++messages_sent;
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
 	}
 
 event Comm::print_handler(msg: string)
 	{
+	++messages_recv;
 	print "got print msg", msg;
-	Comm::print("bro/print/hi", fmt("ping %d", n));
-	++n;
-
-	if ( msg == "pong 5" )
-		terminate();
+	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	++messages_sent;
 	}
 
 @TEST-END-FILE

From dab4d6c8bd296ab89ae8c88931c5efd8e80d4424 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Feb 2015 13:21:36 -0600
Subject: [PATCH 041/109] Update broker submodule.

---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 9def853ec4..0767494b9f 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 9def853ec4498e0133735938355832e0a7628ec8
+Subproject commit 0767494b9f11fabd464cd95c125d5987b6d52858

From 88af106b6b5de8497499e1f6be9d317b6fbb4707 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Feb 2015 13:56:34 -0600
Subject: [PATCH 042/109] Fix use of deprecated gperftools headers.

As of gperftools 2.0 (Feb. 2012), they've been renamed in to
gperftools/ instead of google/, and as of gperftools 2.2, including
the later emits deprecation warnings.
---
 src/util.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/util.h b/src/util.h
index db77888c16..50c33d5608 100644
--- a/src/util.h
+++ b/src/util.h
@@ -48,8 +48,8 @@
 #endif
 
 #ifdef USE_PERFTOOLS_DEBUG
-#include <google/heap-checker.h>
-#include <google/heap-profiler.h>
+#include <gperftools/heap-checker.h>
+#include <gperftools/heap-profiler.h>
 extern HeapLeakChecker* heap_checker;
 #endif
 

From 5a73c11baa783088d9a03460ca7000f940b72121 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 12 Feb 2015 11:40:04 -0600
Subject: [PATCH 043/109] broker integration: fix memory leak, add leak tests

Leak tests won't pass w/ libcaf 0.12.2, needs the develop branch
(actor-framework@a89485a3098965f104264808994fabfbc3a1bf61).
---
 src/comm/Data.cc                              |   9 +-
 .../clone.clone.out                           |   5 +
 .../Baseline/core.leaks.comm.data/bro..stdout |  99 ++++++++
 .../core.leaks.comm.master_store/bro..stdout  |  14 ++
 .../recv.recv.out                             |   6 +
 .../send.send.out                             |  11 +
 .../core.leaks.comm.remote_log/recv.recv.out  |   6 +
 .../core.leaks.comm.remote_log/recv.test.log  |  15 ++
 .../core.leaks.comm.remote_log/send.send.out  |   1 +
 .../core.leaks.comm.remote_log/send.test.log  |  15 ++
 .../recv.recv.out                             |   6 +
 .../send.send.out                             |   6 +
 testing/btest/core/leaks/comm/clone_store.bro | 113 +++++++++
 testing/btest/core/leaks/comm/data.bro        | 233 ++++++++++++++++++
 .../btest/core/leaks/comm/master_store.bro    | 155 ++++++++++++
 .../btest/core/leaks/comm/remote_event.test   |  96 ++++++++
 testing/btest/core/leaks/comm/remote_log.test |  98 ++++++++
 .../btest/core/leaks/comm/remote_print.test   |  85 +++++++
 18 files changed, 969 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
 create mode 100644 testing/btest/Baseline/core.leaks.comm.data/bro..stdout
 create mode 100644 testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out
 create mode 100644 testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out
 create mode 100644 testing/btest/core/leaks/comm/clone_store.bro
 create mode 100644 testing/btest/core/leaks/comm/data.bro
 create mode 100644 testing/btest/core/leaks/comm/master_store.bro
 create mode 100644 testing/btest/core/leaks/comm/remote_event.test
 create mode 100644 testing/btest/core/leaks/comm/remote_log.test
 create mode 100644 testing/btest/core/leaks/comm/remote_print.test

diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index 77b2a496bf..46fc8bc8eb 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -414,7 +414,6 @@ broker::util::optional<broker::data> comm::val_to_data(Val* v)
 		auto is_set = v->Type()->IsSet();
 		auto table = v->AsTable();
 		auto table_val = v->AsTableVal();
-		auto c = table->InitForIteration();
 		broker::data rval;
 
 		if ( is_set )
@@ -437,10 +436,12 @@ broker::util::optional<broker::data> comm::val_to_data(Val* v)
 			ListVal* lv;
 		};
 
-		for ( auto i = 0; i < table->Length(); ++i )
+		HashKey* k;
+		TableEntryVal* entry;
+		auto c = table->InitForIteration();
+
+		while ( (entry = table->NextEntry(k, c)) )
 			{
-			HashKey* k;
-			auto entry = table->NextEntry(k, c);
 			auto vl = table_val->RecoverIndex(k);
 			iter_guard ig(k, vl);
 
diff --git a/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
new file mode 100644
index 0000000000..8a7c89a19b
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
@@ -0,0 +1,5 @@
+clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
+lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]]
+lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]]
+lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
diff --git a/testing/btest/Baseline/core.leaks.comm.data/bro..stdout b/testing/btest/Baseline/core.leaks.comm.data/bro..stdout
new file mode 100644
index 0000000000..eea78d39a2
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.data/bro..stdout
@@ -0,0 +1,99 @@
+Comm::BOOL
+Comm::INT
+Comm::COUNT
+Comm::DOUBLE
+Comm::STRING
+Comm::ADDR
+Comm::SUBNET
+Comm::PORT
+Comm::TIME
+Comm::INTERVAL
+Comm::ENUM
+Comm::SET
+Comm::TABLE
+Comm::VECTOR
+Comm::RECORD
+***************************
+T
+F
+1
+0
+-1
+1
+0
+1.1
+-11.1
+hello
+1.2.3.4
+192.168.0.0/16
+22/tcp
+42.0
+180.0
+Comm::BOOL
+***************************
+{
+two,
+one,
+three
+}
+0
+T
+1
+T
+F
+T
+2
+T
+1
+F
+{
+bye
+}
+0
+***************************
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+0
+[d=<uninitialized>]
+1
+T
+42
+F
+[d=<uninitialized>]
+2
+[d=broker::data{7}]
+2
+37
+[d=broker::data{42}]
+1
+***************************
+[zero, one, two]
+0
+T
+T
+T
+T
+[hi, salutations, hello, greetings]
+4
+[d=broker::data{hello}]
+[d=broker::data{bah}]
+[d=broker::data{hi}]
+[hi, salutations, bah, greetings]
+[d=broker::data{bah}]
+[hi, salutations, greetings]
+3
+***************************
+[a=<uninitialized>, b=bee, c=1]
+[a=test, b=bee, c=1]
+[a=test, b=testagain, c=1]
+3
+T
+T
+T
+[d=broker::data{hi}]
+[d=broker::data{hello}]
+[d=broker::data{37}]
+3
diff --git a/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
new file mode 100644
index 0000000000..defdc9a3e1
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
@@ -0,0 +1,14 @@
+lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]]
+lookup(four): [status=Store::SUCCESS, result=[d=<uninitialized>]]
+lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]]
+lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]]
+exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]]
+exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]]
+exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]]
+pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]]
+pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]]
+keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
+size: [status=Store::SUCCESS, result=[d=broker::data{3}]]
+size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out b/testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out
new file mode 100644
index 0000000000..7dab0284ea
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out
@@ -0,0 +1,6 @@
+got event msg, ping, 0
+got event msg, ping, 1
+got event msg, ping, 2
+got event msg, ping, 3
+got event msg, ping, 4
+got event msg, ping, 5
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out b/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out
new file mode 100644
index 0000000000..0e529e08fc
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out
@@ -0,0 +1,11 @@
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+got event msg, pong, 0
+got auto event msg, ping, 0
+got event msg, pong, 1
+got auto event msg, ping, 1
+got event msg, pong, 2
+got auto event msg, ping, 2
+got event msg, pong, 3
+got auto event msg, ping, 3
+got event msg, pong, 4
+got auto event msg, ping, 4
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out b/testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out
new file mode 100644
index 0000000000..3e0957442d
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out
@@ -0,0 +1,6 @@
+wrote log, [msg=ping, num=0]
+wrote log, [msg=ping, num=1]
+wrote log, [msg=ping, num=2]
+wrote log, [msg=ping, num=3]
+wrote log, [msg=ping, num=4]
+wrote log, [msg=ping, num=5]
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log b/testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log
new file mode 100644
index 0000000000..4fe7790779
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2015-02-12-17-33-13
+#fields	msg	num
+#types	string	count
+ping	0
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2015-02-12-17-33-14
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
new file mode 100644
index 0000000000..e2415290d6
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
@@ -0,0 +1 @@
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log b/testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log
new file mode 100644
index 0000000000..884517b252
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2015-02-12-17-33-13
+#fields	msg	num
+#types	string	count
+ping	0
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2015-02-12-17-33-15
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out b/testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out
new file mode 100644
index 0000000000..6e5a37abbf
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out
@@ -0,0 +1,6 @@
+got print msg, ping 0
+got print msg, ping 1
+got print msg, ping 2
+got print msg, ping 3
+got print msg, ping 4
+got print msg, ping 5
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out b/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out
new file mode 100644
index 0000000000..777afdc0d2
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out
@@ -0,0 +1,6 @@
+Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+got print msg, pong 0
+got print msg, pong 1
+got print msg, pong 2
+got print msg, pong 3
+got print msg, pong 4
diff --git a/testing/btest/core/leaks/comm/clone_store.bro b/testing/btest/core/leaks/comm/clone_store.bro
new file mode 100644
index 0000000000..2a75bfa62f
--- /dev/null
+++ b/testing/btest/core/leaks/comm/clone_store.bro
@@ -0,0 +1,113 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leak
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
+
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
+
+@TEST-START-FILE clone.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global expected_key_count = 4;
+global key_count = 0;
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		if ( key_count == expected_key_count )
+			terminate();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event ready()
+	{
+	h = Store::create_clone("mystore");
+
+	when ( local res = Store::keys(h) )
+		{
+		print "clone keys", res;
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	Comm::subscribe_to_events("bro/event/ready");
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE master.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global ready: event();
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+
+	when ( local res = Store::size(h) )
+		{ event ready(); }
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	h = Store::create_master("mystore");
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	Comm::auto_event("bro/event/ready", ready);
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/core/leaks/comm/data.bro b/testing/btest/core/leaks/comm/data.bro
new file mode 100644
index 0000000000..bf614a2092
--- /dev/null
+++ b/testing/btest/core/leaks/comm/data.bro
@@ -0,0 +1,233 @@
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff bro/.stdout
+
+type bro_set: set[string];
+type bro_table: table[string] of count;
+type bro_vector: vector of string;
+
+type bro_record : record {
+	a: string &optional;
+	b: string &default = "bee";
+	c: count;
+};
+
+function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator,
+                                           rval: bro_record,
+                                           idx: count): bro_record
+	{
+	if ( Comm::record_iterator_last(it) )
+		return rval;
+
+	local field_value = Comm::record_iterator_value(it);
+
+	if ( field_value?$d )
+		switch ( idx ) {
+		case 0:
+			rval$a = Comm::refine_to_string(field_value);
+			break;
+		case 1:
+			rval$b = Comm::refine_to_string(field_value);
+			break;
+		case 2:
+			rval$c = Comm::refine_to_count(field_value);
+			break;
+		};
+
+	++idx;
+	Comm::record_iterator_next(it);
+	return comm_record_to_bro_record_recurse(it, rval, idx);
+	}
+
+function comm_record_to_bro_record(d: Comm::Data): bro_record
+	{
+	return comm_record_to_bro_record_recurse(Comm::record_iterator(d),
+	                                         bro_record($c = 0), 0);
+	}
+
+function
+comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator,
+                            rval: bro_set): bro_set
+	{
+	if ( Comm::set_iterator_last(it) )
+		return rval;
+
+	add rval[Comm::refine_to_string(Comm::set_iterator_value(it))];
+	Comm::set_iterator_next(it);
+	return comm_set_to_bro_set_recurse(it, rval);
+	}
+
+
+function comm_set_to_bro_set(d: Comm::Data): bro_set
+	{
+	return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set());
+	}
+
+function
+comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator,
+                                rval: bro_table): bro_table
+	{
+	if ( Comm::table_iterator_last(it) )
+		return rval;
+
+	local item = Comm::table_iterator_value(it);
+	rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val);
+	Comm::table_iterator_next(it);
+	return comm_table_to_bro_table_recurse(it, rval);
+	}
+
+function comm_table_to_bro_table(d: Comm::Data): bro_table
+	{
+	return comm_table_to_bro_table_recurse(Comm::table_iterator(d),
+	                                       bro_table());
+	}
+
+function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator,
+                                           rval: bro_vector): bro_vector
+	{
+	if ( Comm::vector_iterator_last(it) )
+		return rval;
+
+	rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it));
+	Comm::vector_iterator_next(it);
+	return comm_vector_to_bro_vector_recurse(it, rval);
+	}
+
+function comm_vector_to_bro_vector(d: Comm::Data): bro_vector
+	{
+	return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d),
+	                                         bro_vector());
+	}
+
+event bro_init()
+	{
+Comm::enable();
+	}
+
+global did_it = F;
+
+event new_connection(c: connection)
+	{
+if ( did_it ) return;
+did_it = T;
+print Comm::data_type(Comm::data(T));
+print Comm::data_type(Comm::data(+1));
+print Comm::data_type(Comm::data(1));
+print Comm::data_type(Comm::data(1.1));
+print Comm::data_type(Comm::data("1 (how creative)"));
+print Comm::data_type(Comm::data(1.1.1.1));
+print Comm::data_type(Comm::data(1.1.1.1/1));
+print Comm::data_type(Comm::data(1/udp));
+print Comm::data_type(Comm::data(double_to_time(1)));
+print Comm::data_type(Comm::data(1sec));
+print Comm::data_type(Comm::data(Comm::BOOL));
+local s: bro_set = bro_set("one", "two", "three");
+local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
+local v: bro_vector = bro_vector("zero", "one", "two");
+local r: bro_record = bro_record($c = 1);
+print Comm::data_type(Comm::data(s));
+print Comm::data_type(Comm::data(t));
+print Comm::data_type(Comm::data(v));
+print Comm::data_type(Comm::data(r));
+
+print "***************************";
+
+print Comm::refine_to_bool(Comm::data(T));
+print Comm::refine_to_bool(Comm::data(F));
+print Comm::refine_to_int(Comm::data(+1));
+print Comm::refine_to_int(Comm::data(+0));
+print Comm::refine_to_int(Comm::data(-1));
+print Comm::refine_to_count(Comm::data(1));
+print Comm::refine_to_count(Comm::data(0));
+print Comm::refine_to_double(Comm::data(1.1));
+print Comm::refine_to_double(Comm::data(-11.1));
+print Comm::refine_to_string(Comm::data("hello"));
+print Comm::refine_to_addr(Comm::data(1.2.3.4));
+print Comm::refine_to_subnet(Comm::data(192.168.1.1/16));
+print Comm::refine_to_port(Comm::data(22/tcp));
+print Comm::refine_to_time(Comm::data(double_to_time(42)));
+print Comm::refine_to_interval(Comm::data(3min));
+print Comm::refine_to_enum_name(Comm::data(Comm::BOOL));
+
+print "***************************";
+
+local cs = Comm::data(s);
+print comm_set_to_bro_set(cs);
+cs = Comm::set_create();
+print Comm::set_size(cs);
+print Comm::set_insert(cs, Comm::data("hi"));
+print Comm::set_size(cs);
+print Comm::set_contains(cs, Comm::data("hi"));
+print Comm::set_contains(cs, Comm::data("bye"));
+print Comm::set_insert(cs, Comm::data("bye"));
+print Comm::set_size(cs);
+print Comm::set_remove(cs, Comm::data("hi"));
+print Comm::set_size(cs);
+print Comm::set_remove(cs, Comm::data("hi"));
+print comm_set_to_bro_set(cs);
+Comm::set_clear(cs);
+print Comm::set_size(cs);
+
+print "***************************";
+
+local ct = Comm::data(t);
+print comm_table_to_bro_table(ct);
+ct = Comm::table_create();
+print Comm::table_size(ct);
+print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42));
+print Comm::table_size(ct);
+print Comm::table_contains(ct, Comm::data("hi"));
+print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi")));
+print Comm::table_contains(ct, Comm::data("bye"));
+print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7));
+print Comm::table_size(ct);
+print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37));
+print Comm::table_size(ct);
+print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye")));
+print Comm::table_remove(ct, Comm::data("hi"));
+print Comm::table_size(ct);
+
+print "***************************";
+
+local cv = Comm::data(v);
+print comm_vector_to_bro_vector(cv);
+cv = Comm::vector_create();
+print Comm::vector_size(cv);
+print Comm::vector_insert(cv, Comm::data("hi"), 0);
+print Comm::vector_insert(cv, Comm::data("hello"), 1);
+print Comm::vector_insert(cv, Comm::data("greetings"), 2);
+print Comm::vector_insert(cv, Comm::data("salutations"), 1);
+print comm_vector_to_bro_vector(cv);
+print Comm::vector_size(cv);
+print Comm::vector_replace(cv, Comm::data("bah"), 2);
+print Comm::vector_lookup(cv, 2);
+print Comm::vector_lookup(cv, 0);
+print comm_vector_to_bro_vector(cv);
+print Comm::vector_remove(cv, 2);
+print comm_vector_to_bro_vector(cv);
+print Comm::vector_size(cv);
+
+print "***************************";
+
+local cr = Comm::data(r);
+print comm_record_to_bro_record(cr);
+r$a = "test";
+cr = Comm::data(r);
+print comm_record_to_bro_record(cr);
+r$b = "testagain";
+cr = Comm::data(r);
+print comm_record_to_bro_record(cr);
+cr = Comm::record_create(3);
+print Comm::record_size(cr);
+print Comm::record_assign(cr, Comm::data("hi"), 0);
+print Comm::record_assign(cr, Comm::data("hello"), 1);
+print Comm::record_assign(cr, Comm::data(37), 2);
+print Comm::record_lookup(cr, 0);
+print Comm::record_lookup(cr, 1);
+print Comm::record_lookup(cr, 2);
+print Comm::record_size(cr);
+}
diff --git a/testing/btest/core/leaks/comm/master_store.bro b/testing/btest/core/leaks/comm/master_store.bro
new file mode 100644
index 0000000000..a5c1063e6f
--- /dev/null
+++ b/testing/btest/core/leaks/comm/master_store.bro
@@ -0,0 +1,155 @@
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
+
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global lookup_count = 0;
+const lookup_expect_count = 5;
+global exists_count = 0;
+const exists_expect_count = 4;
+global pop_count = 0;
+const pop_expect_count = 2;
+
+global test_size: event(where: string &default = "");
+
+event test_clear()
+	{
+	Store::clear(h);
+	event test_size("after clear");
+	}
+
+event test_size(where: string)
+	{
+	when ( local res = Store::size(h) )
+		{
+		if ( where == "" )
+			{
+			print fmt("size: %s", res);
+			event test_clear();
+			}
+		else
+			{
+			print fmt("size (%s): %s", where, res);
+			terminate();
+			}
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event test_keys()
+	{
+	when ( local res = Store::keys(h) )
+		{
+		print fmt("keys: %s", res);
+		event test_size();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event test_pop(key: string)
+	{
+	when ( local lres = Store::pop_left(h, Comm::data(key)) )
+		{
+		print fmt("pop_left(%s): %s", key, lres);
+		++pop_count;
+
+		if ( pop_count == pop_expect_count )
+			event test_keys();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+
+	when ( local rres = Store::pop_right(h, Comm::data(key)) )
+		{
+		print fmt("pop_right(%s): %s", key, rres);
+		++pop_count;
+
+		if ( pop_count == pop_expect_count )
+			event test_keys();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+function do_exists(key: string)
+	{
+	when ( local res = Store::exists(h, Comm::data(key)) )
+		{
+		print fmt("exists(%s): %s", key, res);
+		++exists_count;
+
+		if ( exists_count == exists_expect_count )
+			event test_pop("myvec");
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event test_erase()
+	{
+	Store::erase(h, Comm::data("two"));
+	do_exists("one");
+	do_exists("two");
+	do_exists("myset");
+	do_exists("four");
+	}
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		print fmt("lookup(%s): %s", key, res);
+		++lookup_count;
+
+		if ( lookup_count == lookup_expect_count )
+			event test_erase();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global did_it = F;
+
+event bro_init()
+	{
+	Comm::enable();
+	h = Store::create_master("master");
+	}
+
+event new_connection(c: connection)
+	{
+	if ( did_it ) return;
+	did_it = T;
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	do_lookup("one");
+	do_lookup("two");
+	do_lookup("myset");
+	do_lookup("four");
+	do_lookup("myvec");
+	}
diff --git a/testing/btest/core/leaks/comm/remote_event.test b/testing/btest/core/leaks/comm/remote_event.test
new file mode 100644
index 0000000000..a329b527db
--- /dev/null
+++ b/testing/btest/core/leaks/comm/remote_event.test
@@ -0,0 +1,96 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leak
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE recv.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global event_handler: event(msg: string, c: count);
+global auto_event_handler: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	Comm::subscribe_to_events("bro/event/");
+	Comm::auto_event("bro/event/my_topic", auto_event_handler);
+	}
+
+global event_count = 0;
+global events_to_recv = 6;
+
+event event_handler(msg: string, n: count)
+	{
+	++event_count;
+	print "got event msg", msg, n;
+
+	if ( event_count == events_to_recv )
+		{
+		terminate();
+		return;
+		}
+
+	event auto_event_handler(msg, n);
+	local args = Comm::event_args(event_handler, "pong", n);
+	Comm::event("bro/event/my_topic", args);
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global event_handler: event(msg: string, c: count);
+global auto_event_handler: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/my_topic");
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	}
+
+global event_count = 0;
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	local args = Comm::event_args(event_handler, "ping", event_count);
+	Comm::event("bro/event/hi", args);
+	++event_count;
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event event_handler(msg: string, n: count)
+	{
+	print "got event msg", msg, n;
+	local args = Comm::event_args(event_handler, "ping", event_count);
+    Comm::event("bro/event/hi", args);
+	++event_count;
+	}
+
+event auto_event_handler(msg: string, n: count)
+	{
+	print "got auto event msg", msg, n;
+	}
+	
+@TEST-END-FILE
diff --git a/testing/btest/core/leaks/comm/remote_log.test b/testing/btest/core/leaks/comm/remote_log.test
new file mode 100644
index 0000000000..6f20bf8cd4
--- /dev/null
+++ b/testing/btest/core/leaks/comm/remote_log.test
@@ -0,0 +1,98 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leak
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		num: count &log;
+	};
+
+	global log_test: event(rec: Test::Info);
+}
+
+event bro_init() &priority=5
+	{
+	Comm::enable();
+	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::listen(broker_port, "127.0.0.1");
+	Comm::subscribe_to_logs("bro/log/");
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+
+	if ( rec$num == 5 )
+		terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::enable_remote_logs(Test::LOG);
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	}
+
+global n = 0;
+
+event do_write()
+	{
+	if ( n == 6 )
+		return;
+	else
+		{
+		Log::write(Test::LOG, [$msg = "ping", $num = n]);
+		++n;
+		event do_write();
+		}
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/core/leaks/comm/remote_print.test b/testing/btest/core/leaks/comm/remote_print.test
new file mode 100644
index 0000000000..43fe50b632
--- /dev/null
+++ b/testing/btest/core/leaks/comm/remote_print.test
@@ -0,0 +1,85 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leak
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE recv.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	Comm::subscribe_to_prints("bro/print/");
+	}
+
+global messages_to_recv = 6;
+global messages_sent = 0;
+global messages_recv = 0;
+
+event Comm::print_handler(msg: string)
+	{
+	++messages_recv;
+	print "got print msg", msg;
+
+	if ( messages_to_recv == messages_recv )
+		{
+		terminate();
+		return;
+		}
+
+	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	++messages_sent;
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_prints("bro/print/my_topic");
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	}
+
+global messages_sent = 0;
+global messages_recv = 0;
+global peer_disconnected = F;
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	++messages_sent;
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event Comm::print_handler(msg: string)
+	{
+	++messages_recv;
+	print "got print msg", msg;
+	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	++messages_sent;
+	}
+
+@TEST-END-FILE

From 961fd06cad004f1f167ebbf65f241349a2ea9b63 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 12 Feb 2015 17:06:38 -0600
Subject: [PATCH 044/109] Refactor SOCKS5 user/pass authentication support.

- Rename event "socks_login_userpass" to "socks_login_userpass_request"
- Rename event "socks_login_reply" to "socks_login_userpass_reply"
- Split unsupported authN weird into 2 types: method vs. version

Addresses BIT-1011
---
 scripts/base/protocols/socks/main.bro         |  4 +-
 src/analyzer/protocol/socks/events.bif        |  6 +--
 .../protocol/socks/socks-analyzer.pac         | 40 ++++++++------
 .../protocol/socks/socks-protocol.pac         | 53 +++++++++++++++++--
 src/analyzer/protocol/socks/socks.pac         |  2 +-
 testing/btest/Baseline/plugins.writer/output  |  4 +-
 6 files changed, 82 insertions(+), 27 deletions(-)

diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index f60c3ce41c..e052962888 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -94,7 +94,7 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 		Log::write(SOCKS::LOG, c$socks);
 	}
 
-event socks_login_userpass(c: connection, user: string, password: string) &priority=5
+event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
 	{
 	# Authentication only possible with the version 5.
 	set_session(c, 5); 
@@ -103,7 +103,7 @@ event socks_login_userpass(c: connection, user: string, password: string) &prior
 	c$socks$password = password;
 	}
 
-event socks_login_reply(c: connection, code: count) &priority=5
+event socks_login_userpass_reply(c: connection, code: count) &priority=5
 	{
 	# Authentication only possible with the version 5.
 	set_session(c, 5);
diff --git a/src/analyzer/protocol/socks/events.bif b/src/analyzer/protocol/socks/events.bif
index ece69140a1..224f570817 100644
--- a/src/analyzer/protocol/socks/events.bif
+++ b/src/analyzer/protocol/socks/events.bif
@@ -34,12 +34,12 @@ event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Addre
 ## user: The given username.
 ##
 ## password: The given password.
-event socks_login_userpass%(c: connection, user: string, password: string%);
+event socks_login_userpass_request%(c: connection, user: string, password: string%);
 
-## Generated when a SOCKS server replies to a login attempt.
+## Generated when a SOCKS server replies to a username/password login attempt.
 ##
 ## c: The parent connection of the proxy.
 ## 
 ## code: The response code for the attempted login.
-event socks_login_reply%(c: connection, code: count%);
+event socks_login_userpass_reply%(c: connection, code: count%);
 
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index 7d634e2f46..b8c4165a54 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -148,28 +148,34 @@ refine connection SOCKS_Conn += {
 		return true;
 		%}
 
-	function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass): bool
+	function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool
 		%{
 		StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
 		StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
 		
-		BifEvent::generate_socks_login_userpass(bro_analyzer(),
-		                                        bro_analyzer()->Conn(),
-		                                        user, pass);
+		BifEvent::generate_socks_login_userpass_request(bro_analyzer(),
+		                                                bro_analyzer()->Conn(),
+		                                                user, pass);
 		return true;
 		%}
 
-	function socks5_unsupported_authentication(auth_method: uint8): bool
+	function socks5_unsupported_authentication_method(auth_method: uint8): bool
 		%{
-		reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d", auth_method));
+		reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_method_%d", auth_method));
+		return true;
+		%}
+
+	function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool
+		%{
+		reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d_%d", auth_method, version));
 		return true;
 		%}
 	
-	function socks5_auth_reply(reply: SOCKS5_Auth_Reply): bool
+	function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool
 		%{
-		BifEvent::generate_socks_login_reply(bro_analyzer(),
-		                                     bro_analyzer()->Conn(),
-		                                     ${reply.code});
+		BifEvent::generate_socks_login_userpass_reply(bro_analyzer(),
+		                                              bro_analyzer()->Conn(),
+		                                              ${reply.code});
 		return true;
 		%}
 
@@ -205,14 +211,18 @@ refine typeattr SOCKS5_Reply += &let {
 refine typeattr SOCKS5_Auth_Negotiation_Reply += &let {
 };
 
-refine typeattr SOCKS5_Auth_Request_UserPass += &let {
+refine typeattr SOCKS5_Auth_Request_UserPass_v1 += &let {
 	proc: bool = $context.connection.socks5_auth_request_userpass(this);
 };
 
-refine typeattr SOCKS5_Auth_Reply += &let {
-	proc: bool = $context.connection.socks5_auth_reply(this);
+refine typeattr SOCKS5_Auth_Reply_UserPass_v1 += &let {
+	proc: bool = $context.connection.socks5_auth_reply_userpass(this);
 };
 
-refine typeattr SOCKS5_Unsupported_Authentication += &let {
-	proc: bool = $context.connection.socks5_unsupported_authentication($context.connection.v5_auth_method());
+refine typeattr SOCKS5_Unsupported_Authentication_Method += &let {
+	proc: bool = $context.connection.socks5_unsupported_authentication_method($context.connection.v5_auth_method());
+};
+
+refine typeattr SOCKS5_Unsupported_Authentication_Version += &let {
+	proc: bool = $context.connection.socks5_unsupported_authentication_version($context.connection.v5_auth_method(), version);
 };
diff --git a/src/analyzer/protocol/socks/socks-protocol.pac b/src/analyzer/protocol/socks/socks-protocol.pac
index 4e48ea0672..d9c31d2377 100644
--- a/src/analyzer/protocol/socks/socks-protocol.pac
+++ b/src/analyzer/protocol/socks/socks-protocol.pac
@@ -1,8 +1,12 @@
 
+type SOCKS_Message(is_orig: bool) = case $context.connection.v5_in_auth_sub_negotiation() of {
+	true  -> auth: SOCKS5_Auth_Message(is_orig);
+	false -> msg:  SOCKS_Version(is_orig);
+};
+
 type SOCKS_Version(is_orig: bool) = record {
 	version: uint8;
 	msg:     case version of {
-		1       -> socks5_auth_msg: SOCKS5_Auth_Message(is_orig);
 		4       -> socks4_msg:      SOCKS4_Message(is_orig);
 		5       -> socks5_msg:      SOCKS5_Message(is_orig);
 		default -> socks_msg_fail:  SOCKS_Version_Error(version);
@@ -33,6 +37,7 @@ type SOCKS5_Auth_Negotiation_Request = record {
 type SOCKS5_Auth_Negotiation_Reply = record {
 	selected_auth_method: uint8;
 } &let {
+	in_auth_sub_neg = $context.connection.set_v5_in_auth_sub_negotiation(selected_auth_method == 0 || selected_auth_method == 0xff ? false : true);
 	past_auth = $context.connection.set_v5_past_authentication();
 	set_auth = $context.connection.set_v5_auth_method(selected_auth_method);
 };
@@ -44,21 +49,48 @@ type SOCKS5_Auth_Message(is_orig: bool) = case is_orig of {
 
 type SOCKS5_Auth_Request = case $context.connection.v5_auth_method() of {
 	0x02    -> userpass    : SOCKS5_Auth_Request_UserPass;
-	default -> unsupported : SOCKS5_Unsupported_Authentication;
+	default -> unsupported : SOCKS5_Unsupported_Authentication_Method;
 };
 
-type SOCKS5_Unsupported_Authentication = record {
+type SOCKS5_Unsupported_Authentication_Method = record {
+	crap: bytestring &restofdata;
+};
+
+type SOCKS5_Unsupported_Authentication_Version(version: uint8) = record {
 	crap: bytestring &restofdata;
 };
 
 type SOCKS5_Auth_Request_UserPass = record {
+	version: uint8;
+	msg:     case version of {
+		1       -> v1:           SOCKS5_Auth_Request_UserPass_v1;
+		default -> unsupported:  SOCKS5_Unsupported_Authentication_Version(version);
+	};
+};
+
+type SOCKS5_Auth_Request_UserPass_v1 = record {
 	ulen     : uint8;
 	username : bytestring &length=ulen;
 	plen     : uint8;
 	password : bytestring &length=plen;
 };
 
-type SOCKS5_Auth_Reply = record {
+type SOCKS5_Auth_Reply = case $context.connection.v5_auth_method() of {
+	0x02    -> userpass    : SOCKS5_Auth_Reply_UserPass;
+	default -> unsupported : SOCKS5_Unsupported_Authentication_Method;
+} &let {
+	in_auth_sub_neg = $context.connection.set_v5_in_auth_sub_negotiation(false);
+};
+
+type SOCKS5_Auth_Reply_UserPass = record {
+	version: uint8;
+	msg:     case version of {
+		1       -> v1:           SOCKS5_Auth_Reply_UserPass_v1;
+		default -> unsupported:  SOCKS5_Unsupported_Authentication_Version(version);
+	};
+};
+
+type SOCKS5_Auth_Reply_UserPass_v1 = record {
 	code : uint8;
 };
 
@@ -126,15 +158,28 @@ type SOCKS4_Reply = record {
 
 refine connection SOCKS_Conn += {
 	%member{
+		bool v5_in_auth_sub_negotiation_;
 		bool v5_authenticated_;
 		uint8 selected_auth_method_;
 	%}
 
 	%init{
+		v5_in_auth_sub_negotiation_ = false;
 		v5_authenticated_ = false;
 		selected_auth_method_ = 255;
 	%}
 
+	function v5_in_auth_sub_negotiation(): bool
+		%{
+		return v5_in_auth_sub_negotiation_;
+		%}
+
+	function set_v5_in_auth_sub_negotiation(b: bool): bool
+		%{
+		v5_in_auth_sub_negotiation_ = b;
+		return true;
+		%}
+
 	function v5_past_authentication(): bool
 		%{
 		return v5_authenticated_;
diff --git a/src/analyzer/protocol/socks/socks.pac b/src/analyzer/protocol/socks/socks.pac
index a9c4099508..9aed2820af 100644
--- a/src/analyzer/protocol/socks/socks.pac
+++ b/src/analyzer/protocol/socks/socks.pac
@@ -20,7 +20,7 @@ connection SOCKS_Conn(bro_analyzer: BroAnalyzer) {
 %include socks-protocol.pac
 
 flow SOCKS_Flow(is_orig: bool) {
-	datagram = SOCKS_Version(is_orig) withcontext(connection, this);
+	datagram = SOCKS_Message(is_orig) withcontext(connection, this);
 };
 
 %include socks-analyzer.pac
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index 0882718f03..f7b33992ea 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [http] 1340213020.732963|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
 [http] 1340213021.300269|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
 [http] 1340213021.861584|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[packet_filter] 1412721099.419280|bro|ip or not ip|T|T
-[socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
+[packet_filter] 1423781675.402129|bro|ip or not ip|T|T
+[socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER

From 062baefde09483277bbc94574cfc45793779f98e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Feb 2015 11:24:32 -0600
Subject: [PATCH 045/109] Add 'while' statement to Bro language.

---
 src/SerialTypes.h                         |   1 +
 src/Stmt.cc                               | 122 +++++++++++++++++++++-
 src/Stmt.h                                |  29 +++++
 src/StmtEnums.h                           |   1 +
 src/parse.y                               |   6 ++
 src/scan.l                                |   1 +
 testing/btest/Baseline/language.while/out |  12 +++
 testing/btest/core/leaks/while.bro        |  80 ++++++++++++++
 testing/btest/language/while.bro          |  77 ++++++++++++++
 9 files changed, 328 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/language.while/out
 create mode 100644 testing/btest/core/leaks/while.bro
 create mode 100644 testing/btest/language/while.bro

diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index d2f227838c..e50ec3889f 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -181,6 +181,7 @@ SERIAL_STMT(INIT_STMT, 17)
 SERIAL_STMT(NULL_STMT, 18)
 SERIAL_STMT(WHEN_STMT, 19)
 SERIAL_STMT(FALLTHROUGH_STMT, 20)
+SERIAL_STMT(WHILE_STMT, 21)
 
 #define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE)
 SERIAL_TYPE(BRO_TYPE, 1)
diff --git a/src/Stmt.cc b/src/Stmt.cc
index cb716b3f15..d2f8c48cee 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -23,7 +23,7 @@ const char* stmt_name(BroStmtTag t)
 		"print", "event", "expr", "if", "when", "switch",
 		"for", "next", "break", "return", "add", "delete",
 		"list", "bodylist",
-		"<init>", "fallthrough",
+		"<init>", "fallthrough", "while",
 		"null",
 	};
 
@@ -1127,6 +1127,126 @@ bool EventStmt::DoUnserialize(UnserialInfo* info)
 	return event_expr != 0;
 	}
 
+WhileStmt::WhileStmt(Expr* arg_loop_condition, Stmt* arg_body)
+	: loop_condition(arg_loop_condition), body(arg_body)
+	{
+	if ( ! loop_condition->IsError() &&
+	     ! IsBool(loop_condition->Type()->Tag()) )
+		loop_condition->Error("while conditional must be boolean");
+	}
+
+WhileStmt::~WhileStmt()
+	{
+	Unref(loop_condition);
+	Unref(body);
+	}
+
+int WhileStmt::IsPure() const
+	{
+	return loop_condition->IsPure() && body->IsPure();
+	}
+
+void WhileStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+
+	if ( d->IsReadable() )
+		d->Add("(");
+
+	loop_condition->Describe(d);
+
+	if ( d->IsReadable() )
+		d->Add(")");
+
+	d->SP();
+	d->PushIndent();
+	body->AccessStats(d);
+	body->Describe(d);
+	d->PopIndent();
+	}
+
+TraversalCode WhileStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = loop_condition->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = body->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+Val* WhileStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+	Val* rval = 0;
+
+	for ( ; ; )
+		{
+		Val* cond = loop_condition->Eval(f);
+
+		if ( ! cond )
+			break;
+
+		bool cont = cond->AsBool();
+		Unref(cond);
+
+		if ( ! cont )
+			break;
+
+		flow = FLOW_NEXT;
+		rval = body->Exec(f, flow);
+
+		if ( flow == FLOW_BREAK || flow == FLOW_RETURN )
+			break;
+		}
+
+	if ( flow == FLOW_LOOP || flow == FLOW_BREAK )
+		flow = FLOW_NEXT;
+
+	return rval;
+	}
+
+Stmt* WhileStmt::Simplify()
+	{
+	loop_condition = simplify_expr(loop_condition, SIMPLIFY_GENERAL);
+
+	if ( loop_condition->IsConst() && loop_condition->IsZero() )
+		return new NullStmt();
+
+	body = simplify_stmt(body);
+	return this;
+	}
+
+IMPLEMENT_SERIAL(WhileStmt, SER_WHILE_STMT);
+
+bool WhileStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_WHILE_STMT, Stmt);
+
+	if ( ! loop_condition->Serialize(info) )
+		return false;
+
+	return body->Serialize(info);
+	}
+
+bool WhileStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+	loop_condition = Expr::Unserialize(info);
+
+	if ( ! loop_condition )
+		return false;
+
+	body = Stmt::Unserialize(info);
+	return body != 0;
+	}
+
 ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr)
 : ExprStmt(STMT_FOR, loop_expr)
 	{
diff --git a/src/Stmt.h b/src/Stmt.h
index 32b90b4190..79406fd51b 100644
--- a/src/Stmt.h
+++ b/src/Stmt.h
@@ -310,6 +310,35 @@ protected:
 	EventExpr* event_expr;
 };
 
+class WhileStmt : public Stmt {
+public:
+
+	WhileStmt(Expr* loop_condition, Stmt* body);
+
+	~WhileStmt();
+
+	int IsPure() const;
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+
+	DECLARE_SERIAL(WhileStmt);
+
+	WhileStmt()
+		{ loop_condition = 0; body = 0; }
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	Stmt* Simplify();
+
+	Expr* loop_condition;
+	Stmt* body;
+};
+
 class ForStmt : public ExprStmt {
 public:
 	ForStmt(id_list* loop_vars, Expr* loop_expr);
diff --git a/src/StmtEnums.h b/src/StmtEnums.h
index d34f642594..ad99c2365a 100644
--- a/src/StmtEnums.h
+++ b/src/StmtEnums.h
@@ -17,6 +17,7 @@ typedef enum {
 	STMT_LIST, STMT_EVENT_BODY_LIST,
 	STMT_INIT,
 	STMT_FALLTHROUGH,
+	STMT_WHILE,
 	STMT_NULL
 #define NUM_STMTS (int(STMT_NULL) + 1)
 } BroStmtTag;
diff --git a/src/parse.y b/src/parse.y
index f74880dc13..8054718d45 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -16,6 +16,7 @@
 %token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
 %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE
 %token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN
+%token TOK_WHILE
 
 %token TOK_ATTR_ADD_FUNC TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT
 %token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL
@@ -1340,6 +1341,11 @@ stmt:
 			$1->AsForStmt()->AddBody($2);
 			}
 
+	|	TOK_WHILE '(' expr ')' stmt
+			{
+			$$ = new WhileStmt($3, $5);
+			}
+
 	|	TOK_NEXT ';' opt_no_test
 			{
 			set_location(@1, @2);
diff --git a/src/scan.l b/src/scan.l
index ae11382fb3..b13215e4b8 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -221,6 +221,7 @@ export	return TOK_EXPORT;
 fallthrough	return TOK_FALLTHROUGH;
 file	return TOK_FILE;
 for	return TOK_FOR;
+while	return TOK_WHILE;
 function	return TOK_FUNCTION;
 global	return TOK_GLOBAL;
 "?$"	return TOK_HAS_FIELD;
diff --git a/testing/btest/Baseline/language.while/out b/testing/btest/Baseline/language.while/out
new file mode 100644
index 0000000000..d37792c0b4
--- /dev/null
+++ b/testing/btest/Baseline/language.while/out
@@ -0,0 +1,12 @@
+10
+s
+ss
+sss
+{
+7,
+1,
+9,
+5,
+3
+}
+[number 0, number 1, number 2, number 3, number 4, number 5, number 6, number 7, number 8, number 9, number 10, number 11, number 12]
diff --git a/testing/btest/core/leaks/while.bro b/testing/btest/core/leaks/while.bro
new file mode 100644
index 0000000000..eac6f2622e
--- /dev/null
+++ b/testing/btest/core/leaks/while.bro
@@ -0,0 +1,80 @@
+# @TEST-GROUP: leaks
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+
+function test_noop()
+	{
+	while ( F )
+		print "noooooooooo";
+	}
+
+function test_it()
+	{
+	local i = 0;
+
+	while ( i < 10 )
+		++i;
+
+	print i;
+	}
+
+function test_break()
+	{
+	local s = "";
+
+	while ( T )
+		{
+		s += "s";
+		print s;
+
+		if ( s == "sss" )
+			break;
+		}
+	}
+
+function test_next()
+	{
+	local s: set[count];
+	local i = 0;
+
+	while ( 9 !in s )
+		{
+		++i;
+
+		if ( i % 2 == 0 )
+			next;
+
+		add s[i];
+		}
+
+	print s;
+	}
+
+function test_return(): vector of string
+	{
+	local i = 0;
+	local rval: vector of string;
+
+	while ( T )
+		{
+		rval[i] = fmt("number %d", i);
+		++i;
+
+		if ( i == 13 )
+			return rval;
+		}
+
+	rval[0] = "noooo";
+	return rval;
+	}
+
+event new_connection(c: connection)
+	{
+	test_noop();
+	test_it();
+	test_break();
+	test_next();
+	print test_return();
+	}
diff --git a/testing/btest/language/while.bro b/testing/btest/language/while.bro
new file mode 100644
index 0000000000..6828b00b41
--- /dev/null
+++ b/testing/btest/language/while.bro
@@ -0,0 +1,77 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+function test_noop()
+	{
+	while ( F )
+		print "noooooooooo";
+	}
+
+function test_it()
+	{
+	local i = 0;
+
+	while ( i < 10 )
+		++i;
+
+	print i;
+	}
+
+function test_break()
+	{
+	local s = "";
+
+	while ( T )
+		{
+		s += "s";
+		print s;
+
+		if ( s == "sss" )
+			break;
+		}
+	}
+
+function test_next()
+	{
+	local s: set[count];
+	local i = 0;
+
+	while ( 9 !in s )
+		{
+		++i;
+
+		if ( i % 2 == 0 )
+			next;
+
+		add s[i];
+		}
+
+	print s;
+	}
+
+function test_return(): vector of string
+	{
+	local i = 0;
+	local rval: vector of string;
+
+	while ( T )
+		{
+		rval[i] = fmt("number %d", i);
+		++i;
+
+		if ( i == 13 )
+			return rval;
+		}
+
+	rval[0] = "noooo";
+	return rval;
+	}
+
+event bro_init()
+	{
+	test_noop();
+	test_it();
+	test_break();
+	test_next();
+	print test_return();
+	}

From 8e4f4b46f7591a3779adc8e21d688f81ee436721 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Feb 2015 16:23:43 -0600
Subject: [PATCH 046/109] Updating submodule(s).

 [nomail]
---
 aux/broccoli | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broccoli b/aux/broccoli
index d43cc790e5..9b6dd56242 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit d43cc790e5b8709b5e032e52ad0e00936494739b
+Subproject commit 9b6dd5624254de9d18618562887979da1158da43

From 4bcb9d2d920862660feba80cfb13356952843201 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Feb 2015 18:04:17 -0600
Subject: [PATCH 047/109] Updating submodule(s).

 [nomail]
---
 aux/broccoli | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broccoli b/aux/broccoli
index 9b6dd56242..420c5b42c0 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 9b6dd5624254de9d18618562887979da1158da43
+Subproject commit 420c5b42c0c90f22fc7a862fc491c8e554d05381

From b00bd7702f8962bcf8507adb0abe967c4c02426c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 13 Feb 2015 22:02:54 -0500
Subject: [PATCH 048/109] Add the ability to remove surrounding braces from the
 JSON formatter.

---
 src/threading/formatters/JSON.cc | 13 ++++++++++---
 src/threading/formatters/JSON.h  |  3 +++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 472023e0f8..e1a5713461 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -15,7 +15,7 @@
 
 using namespace threading::formatter;
 
-JSON::JSON(MsgThread* t, TimeFormat tf) : Formatter(t)
+JSON::JSON(MsgThread* t, TimeFormat tf) : Formatter(t), surrounding_braces(true)
 	{
 	timestamps = tf;
 	}
@@ -27,7 +27,8 @@ JSON::~JSON()
 bool JSON::Describe(ODesc* desc, int num_fields, const Field* const * fields,
                     Value** vals) const
 	{
-	desc->AddRaw("{");
+	if ( surrounding_braces )
+		desc->AddRaw("{");
 
 	for ( int i = 0; i < num_fields; i++ )
 		{
@@ -41,7 +42,8 @@ bool JSON::Describe(ODesc* desc, int num_fields, const Field* const * fields,
 			return false;
 		}
 
-	desc->AddRaw("}");
+	if ( surrounding_braces )
+		desc->AddRaw("}");
 
 	return true;
 	}
@@ -217,3 +219,8 @@ threading::Value* JSON::ParseValue(const string& s, const string& name, TypeTag
 	GetThread()->Error("JSON formatter does not support parsing yet.");
 	return NULL;
 	}
+
+void JSON::SurroundingBraces(bool use_braces)
+	{
+	surrounding_braces = use_braces;
+	}
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index d7859f83fb..04209fbde9 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -27,8 +27,11 @@ public:
 	                      threading::Value** vals) const;
 	virtual threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
 
+	void SurroundingBraces(bool use_braces);
+
 private:
 	TimeFormat timestamps;
+	bool surrounding_braces;
 };
 
 }}

From 2e043c0ff6e31f4dfaef81ddcddb1fe596fd0850 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 12:11:59 -0800
Subject: [PATCH 049/109] Creating the installation directory for plugins at
 install time.

---
 src/CMakeLists.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 13c6e45006..f13a4a6ebf 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -408,6 +408,9 @@ add_dependencies(bro bif_loader_plugins)
 # Install *.bif.bro.
 install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base)
 
+# Create plugin directory at install time.
+install(DIRECTORY DESTINATION ${BRO_PLUGIN_INSTALL_PATH})
+
 # Make clean removes the bif directory.
 set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES ${CMAKE_BINARY_DIR}/scripts/base/bif)
 

From ff16f6215ad6f3cf8208b4e35756b75410a38403 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 12:49:54 -0800
Subject: [PATCH 050/109] Removing setting installation plugin path from 
 bro-path-dev.sh .

Also, adding to existing BRO_PLUGIN_PATH rather than replacing.

Addresses #1312
---
 CMakeLists.txt | 4 ++--
 aux/bro-aux    | 2 +-
 cmake          | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index c0ff6c09d4..04ac197f74 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -31,12 +31,12 @@ configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev)
 
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh
      "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
-     "export BRO_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src:${BRO_PLUGIN_INSTALL_PATH}\"\n"
+     "export BRO_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
      "export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
      "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
-     "setenv BRO_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src:${BRO_PLUGIN_INSTALL_PATH}\"\n"
+     "setenv BRO_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
diff --git a/aux/bro-aux b/aux/bro-aux
index 3714d3594c..c011f3a724 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 3714d3594ce0d2b8a757c04e6e7d901d6b559915
+Subproject commit c011f3a7243a8a1dc8be7eff2f45799be7ee85f4
diff --git a/cmake b/cmake
index 1316c07f70..0147a2e05b 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 1316c07f7059647b6c4a496ea36e4b83bb5d8f0f
+Subproject commit 0147a2e05b613a044ac30374874acdb8bc216feb

From d36422fde156caf7d4f2cddf3883d1812f3fb7e7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 13:37:59 -0800
Subject: [PATCH 051/109] Explicitly removing some old scripts on install.

Some scripts have moved into plugins, but may cause confusion if they
stick around from old installations. Explicitl removing them on install.

We had this problem before in other cases, and it should be ok to help
people upgrading a bit here, even though hardcoding these isn't great.
---
 src/CMakeLists.txt | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index f13a4a6ebf..6d24172b97 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -414,3 +414,12 @@ install(DIRECTORY DESTINATION ${BRO_PLUGIN_INSTALL_PATH})
 # Make clean removes the bif directory.
 set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES ${CMAKE_BINARY_DIR}/scripts/base/bif)
 
+# Remove some stale files and scripts that previous Bro versions put in
+# place, yet make confuse us now. This makes upgrading easier.
+install(CODE "
+   file(REMOVE_RECURSE
+       ${BRO_SCRIPT_INSTALL_PATH}/base/frameworks/logging/writers/dataseries.bro
+       ${BRO_SCRIPT_INSTALL_PATH}/base/frameworks/logging/writers/elasticsearch.bro
+       ${BRO_SCRIPT_INSTALL_PATH}/policy/tuning/logs-to-elasticsearch.bro
+   )
+")

From ab3cdf494a216cd20d528f982af3834ff4623695 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 13:40:21 -0800
Subject: [PATCH 052/109] Updating submodules.

---
 aux/bro-aux | 2 +-
 cmake       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index c011f3a724..63675de3cc 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit c011f3a7243a8a1dc8be7eff2f45799be7ee85f4
+Subproject commit 63675de3cc7bc3eb2a3645860224c372d3f7f36a
diff --git a/cmake b/cmake
index 0147a2e05b..9623367210 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 0147a2e05b613a044ac30374874acdb8bc216feb
+Subproject commit 962336721040fdf55a6b264f8bbc84153b54d9a5

From 0f96d0625273f748793988f67756b4317c1e074e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 14:24:32 -0800
Subject: [PATCH 053/109] Making plugin names case-insensitive for some
 internal comparisions.

Makes the plugin system a bit more tolerant against spelling
inconsistencies that would be hard to catch otherwise.
---
 src/plugin/Manager.cc | 22 ++++++++++++----------
 src/util.cc           |  7 +++++++
 src/util.h            |  3 +++
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index ab0b85676b..b891a0faab 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -79,18 +79,19 @@ void Manager::SearchDynamicPlugins(const std::string& dir)
 		std::string name;
 		std::getline(in, name);
 		strstrip(name);
+		string lower_name = strtolower(name);
 
 		if ( name.empty() )
 			reporter->FatalError("empty plugin magic file %s", magic.c_str());
 
-		if ( dynamic_plugins.find(name) != dynamic_plugins.end() )
+		if ( dynamic_plugins.find(lower_name) != dynamic_plugins.end() )
 			{
 			DBG_LOG(DBG_PLUGINS, "Found already known plugin %s in %s, ignoring", name.c_str(), dir.c_str());
 			return;
 			}
 
 		// Record it, so that we can later activate it.
-		dynamic_plugins.insert(std::make_pair(name, dir));
+		dynamic_plugins.insert(std::make_pair(lower_name, dir));
 
 		DBG_LOG(DBG_PLUGINS, "Found plugin %s in %s", name.c_str(), dir.c_str());
 		return;
@@ -135,7 +136,7 @@ void Manager::SearchDynamicPlugins(const std::string& dir)
 
 bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found)
 	{
-	dynamic_plugin_map::iterator m = dynamic_plugins.find(name);
+	dynamic_plugin_map::iterator m = dynamic_plugins.find(strtolower(name));
 
 	if ( m == dynamic_plugins.end() )
 		{
@@ -230,7 +231,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 			// Make sure the name the plugin reports is consistent with
 			// what we expect from its magic file.
-			if ( string(current_plugin->Name()) != name )
+			if ( strtolower(current_plugin->Name()) != strtolower(name) )
 				reporter->FatalError("inconsistent plugin name: %s vs %s",
 						     current_plugin->Name().c_str(), name.c_str());
 
@@ -297,7 +298,7 @@ void Manager::UpdateInputFiles()
 
 static bool plugin_cmp(const Plugin* a, const Plugin* b)
 	{
-	return a->Name() < b->Name();
+	return strtolower(a->Name()) < strtolower(b->Name());
 	}
 
 void Manager::RegisterPlugin(Plugin *plugin)
@@ -318,10 +319,11 @@ void Manager::RegisterBifFile(const char* plugin, bif_init_func c)
 	{
 	bif_init_func_map* bifs = BifFilesInternal();
 
-	bif_init_func_map::iterator i = bifs->find(plugin);
+	std::string lower_plugin = strtolower(plugin);
+	bif_init_func_map::iterator i = bifs->find(lower_plugin);
 
 	if ( i == bifs->end() )
-		i = bifs->insert(std::make_pair(std::string(plugin), new bif_init_func_list())).first;
+		i = bifs->insert(std::make_pair(lower_plugin, new bif_init_func_list())).first;
 
 	i->second->push_back(c);
 	}
@@ -348,7 +350,7 @@ void Manager::InitBifs()
 	for ( plugin_list::iterator i = Manager::ActivePluginsInternal()->begin();
           i != Manager::ActivePluginsInternal()->end(); i++ )
 		{
-		bif_init_func_map::const_iterator b = bifs->find((*i)->Name());
+		bif_init_func_map::const_iterator b = bifs->find(strtolower((*i)->Name()));
 
 		if ( b != bifs->end() )
 			{
@@ -397,7 +399,7 @@ Manager::inactive_plugin_list Manager::InactivePlugins() const
 
 		for ( plugin_list::const_iterator j = all->begin(); j != all->end(); j++ )
 			{
-			if ( (*i).first == (*j)->Name() )
+			if ( (*i).first == strtolower((*j)->Name()) )
 				{
 				found = true;
 				break;
@@ -434,7 +436,7 @@ Manager::bif_init_func_map* Manager::BifFilesInternal()
 static bool hook_cmp(std::pair<int, Plugin*> a, std::pair<int, Plugin*> b)
 	{
 	if ( a.first == b.first )
-		return a.second->Name() < a.second->Name();
+		return strtolower(a.second->Name()) < strtolower(a.second->Name());
 
 	// Reverse sort.
 	return a.first > b.first;
diff --git a/src/util.cc b/src/util.cc
index 60a92af45f..ac2a942ed3 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -541,6 +541,13 @@ bool is_printable(const char* s, int len)
 	return true;
 	}
 
+std::string strtolower(const std::string& s)
+	{
+	std::string t = s;
+	std::transform(t.begin(), t.end(), t.begin(), ::tolower);
+	return t;
+	}
+
 const char* fmt_bytes(const char* data, int len)
 	{
 	static char buf[1024];
diff --git a/src/util.h b/src/util.h
index 50c33d5608..f65e0fb7d0 100644
--- a/src/util.h
+++ b/src/util.h
@@ -159,6 +159,9 @@ int strstr_n(const int big_len, const unsigned char* big,
 extern int fputs(int len, const char* s, FILE* fp);
 extern bool is_printable(const char* s, int len);
 
+// Return a lower-cased version of the string.
+extern std::string strtolower(const std::string& s);
+
 extern const char* fmt_bytes(const char* data, int len);
 
 // Note: returns a pointer into a shared buffer.

From b6bbf90643e272814174b6eb065fdbab60e1d938 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 14:32:08 -0800
Subject: [PATCH 054/109] Updating plugin tests.

The init-plugin scripts now expects a destination directory. Normally
that would be a new subdirectory, but for the tests to keep working we
can also put it right into the current directory.
---
 testing/btest/Baseline/plugins.api-version-mismatch/output | 2 +-
 testing/btest/plugins/api-version-mismatch.sh              | 2 +-
 testing/btest/plugins/bifs-and-scripts-install.sh          | 4 ++--
 testing/btest/plugins/bifs-and-scripts.sh                  | 2 +-
 testing/btest/plugins/file.bro                             | 2 +-
 testing/btest/plugins/hooks.bro                            | 2 +-
 testing/btest/plugins/init-plugin.bro                      | 2 +-
 testing/btest/plugins/pktdumper.bro                        | 2 +-
 testing/btest/plugins/pktsrc.bro                           | 2 +-
 testing/btest/plugins/protocol.bro                         | 2 +-
 testing/btest/plugins/reader.bro                           | 2 +-
 testing/btest/plugins/writer.bro                           | 2 +-
 12 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output
index 1e4dae5e65..04f3cdd3a2 100644
--- a/testing/btest/Baseline/plugins.api-version-mismatch/output
+++ b/testing/btest/Baseline/plugins.api-version-mismatch/output
@@ -1 +1 @@
-fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/XXX)
+fatal error in /home/robin/bro/plugins/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/plugins/testing/btest/.tmp/plugins.api-version-mismatch/build//lib/XXX)
diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh
index cfb4269946..2483582359 100644
--- a/testing/btest/plugins/api-version-mismatch.sh
+++ b/testing/btest/plugins/api-version-mismatch.sh
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: bash %INPUT
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1
diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh
index 627eb0f2c5..60c754f8ff 100644
--- a/testing/btest/plugins/bifs-and-scripts-install.sh
+++ b/testing/btest/plugins/bifs-and-scripts-install.sh
@@ -1,10 +1,10 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: bash %INPUT
 # @TEST-EXEC: ./configure --bro-dist=${DIST} --install-root=`pwd`/test-install
 # @TEST-EXEC: make
 # @TEST-EXEC: make install
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro -NN Demo::Foo >>output
-# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro demo/foo -r $TRACES/empty.trace >>output
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro demo/foo -r $TRACES/empty.trace >>output
 # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
 
 mkdir -p scripts/demo/foo/base/
diff --git a/testing/btest/plugins/bifs-and-scripts.sh b/testing/btest/plugins/bifs-and-scripts.sh
index cf49642766..25f2dbeb5e 100644
--- a/testing/btest/plugins/bifs-and-scripts.sh
+++ b/testing/btest/plugins/bifs-and-scripts.sh
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: bash %INPUT
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
diff --git a/testing/btest/plugins/file.bro b/testing/btest/plugins/file.bro
index 7d25cab538..29724aa8a4 100644
--- a/testing/btest/plugins/file.bro
+++ b/testing/btest/plugins/file.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/file-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
diff --git a/testing/btest/plugins/hooks.bro b/testing/btest/plugins/hooks.bro
index 786e6ccc88..c1dec2f4c3 100644
--- a/testing/btest/plugins/hooks.bro
+++ b/testing/btest/plugins/hooks.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Hooks
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Hooks
 # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/http/get.trace %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
diff --git a/testing/btest/plugins/init-plugin.bro b/testing/btest/plugins/init-plugin.bro
index 2fffa88f2c..a4ebf7b00c 100644
--- a/testing/btest/plugins/init-plugin.bro
+++ b/testing/btest/plugins/init-plugin.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
diff --git a/testing/btest/plugins/pktdumper.bro b/testing/btest/plugins/pktdumper.bro
index 29b69acadd..d9bd91a5a6 100644
--- a/testing/btest/plugins/pktdumper.bro
+++ b/testing/btest/plugins/pktdumper.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/pktdumper-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo  >>output
diff --git a/testing/btest/plugins/pktsrc.bro b/testing/btest/plugins/pktsrc.bro
index 349e361664..a13596e245 100644
--- a/testing/btest/plugins/pktsrc.bro
+++ b/testing/btest/plugins/pktsrc.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/pktsrc-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo  >>output
diff --git a/testing/btest/plugins/protocol.bro b/testing/btest/plugins/protocol.bro
index 671edb6cf1..8a6c2a6399 100644
--- a/testing/btest/plugins/protocol.bro
+++ b/testing/btest/plugins/protocol.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/protocol-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
diff --git a/testing/btest/plugins/reader.bro b/testing/btest/plugins/reader.bro
index 5065678c2e..ec9b6cf046 100644
--- a/testing/btest/plugins/reader.bro
+++ b/testing/btest/plugins/reader.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin  -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/reader-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
diff --git a/testing/btest/plugins/writer.bro b/testing/btest/plugins/writer.bro
index f2e74ad667..8cecff6843 100644
--- a/testing/btest/plugins/writer.bro
+++ b/testing/btest/plugins/writer.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/writer-plugin/* .
 # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output

From bdb2707a08a5772d9de7371dc1050f0d5db4bb56 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Feb 2015 20:05:30 -0800
Subject: [PATCH 055/109] Updating submodules.

---
 aux/bro-aux | 2 +-
 aux/plugins | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 63675de3cc..8c37b26823 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 63675de3cc7bc3eb2a3645860224c372d3f7f36a
+Subproject commit 8c37b26823ada9c77614b2f8f781c11c8fe3d078
diff --git a/aux/plugins b/aux/plugins
index ad600b5bdc..9072e28935 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit ad600b5bdcd56a2723e323c0f2c8e1708956ca4f
+Subproject commit 9072e28935ba85b6938fe946d7aa23cb58ee1566

From b06d82ccedeb7e079a76c2b6f207df681f05a96a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 17 Feb 2015 10:50:57 -0600
Subject: [PATCH 056/109] broker integration: add API documentation
 (broxygen/doxygen)

Also changed asynchronous data store query code a bit; trying to make
memory management and handling of corner cases a bit clearer (former
maybe could still be better, but I need to lookup queries by memory
address to associate response cookies to them, and so wrapping pointers
kind of just gets in the way).
---
 scripts/base/frameworks/comm/main.bro |  39 ++-
 src/Trigger.h                         |   2 +
 src/comm/Data.h                       |  67 ++++++
 src/comm/Manager.cc                   |  28 ++-
 src/comm/Manager.h                    | 212 ++++++++++++++++-
 src/comm/Store.cc                     |   5 -
 src/comm/Store.h                      |  27 +++
 src/comm/comm.bif                     | 106 +++++++++
 src/comm/data.bif                     | 331 +++++++++++++++++++++++++-
 src/comm/messaging.bif                | 102 +++++++-
 src/comm/store.bif                    | 222 +++++++++++++++--
 src/logging/Manager.h                 |  18 ++
 12 files changed, 1114 insertions(+), 45 deletions(-)

diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index 66dc1715f4..da910f20bf 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -1,32 +1,53 @@
+##! Various data structure definitions for use with Bro's communication system.
 
 module Comm;
 
 export {
 
+	## A name used to identify this endpoint to peers.
+	## .. bro:see:: Comm::connect Comm::listen
 	const endpoint_name = "" &redef;
 
+	## Change communication behavior.
 	type EndpointFlags: record {
+		## Whether to restrict message topics that can be published to peers.
 		auto_publish: bool &default = T;
+		## Whether to restrict what message topics or data store identifiers
+		## the local endpoint advertises to peers (e.g. subscribing to
+		## events or making a master data store available).
 		auto_advertise: bool &default = T;
 	};
 
+	## Fine-grained tuning of communication behavior for a particular message.
 	type SendFlags: record {
+		## Send the message to the local endpoint.
 		self: bool &default = F;
+		## Send the message to peer endpoints that advertise interest in
+		## the topic associated with the message.
 		peers: bool &default = T;
+		## Send the message to peer endpoints even if they don't advertise
+		## interest in the topic associated with the message.
 		unsolicited: bool &default = F;
 	};
 
+	## Opaque communication data.
 	type Data: record {
 		d: opaque of Comm::Data &optional;
 	};
 
+	## Opaque communication data.
 	type DataVector: vector of Comm::Data;
 
+	## Opaque event communication data.
 	type EventArgs: record {
-		name: string &optional;  # nil for invalid event/args.
+		## The name of the event.  Not set if invalid event or arguments.
+		name: string &optional;
+		## The arguments to the event.
 		args: DataVector;
 	};
 
+	## Opaque communication data used as a convenient way to wrap key-value
+	## pairs that comprise table entries.
 	type Comm::TableItem : record {
 		key: Comm::Data;
 		val: Comm::Data;
@@ -37,30 +58,44 @@ module Store;
 
 export {
 
+	## Whether a data store query could be completed or not.
 	type QueryStatus: enum {
 		SUCCESS,
 		FAILURE,
 	};
 
+	## A expiry time for a key-value pair inserted in to a data store.
 	type ExpiryTime: record {
+		## Absolute point in time at which to expire the entry.
 		absolute: time &optional;
+		## A point in time relative to the last modification time at which
+		## to expire the entry.  New modifications will delay the expiration.
 		since_last_modification: interval &optional;
 	};
 
+	## The result of a data store query.
 	type QueryResult: record {
+		## Whether the query completed or not.
 		status: Store::QueryStatus;
+		## The result of the query.  Certain queries may use a particular
+		## data type (e.g. querying store size always returns a count, but
+		## a lookup may return various data types).
 		result: Comm::Data;
 	};
 
+	## Options to tune the SQLite storage backend.
 	type SQLiteOptions: record {
+		## File system path of the database.
 		path: string &default = "store.sqlite";
 	};
 
+	## Options to tune the RocksDB storage backend.
 	type RocksDBOptions: record {
+		## File system path of the database.
 		path: string &default = "store.rocksdb";
-		use_merge_operator: bool &default = F;
 	};
 
+	## Options to tune the particular storage backends.
 	type BackendOptions: record {
 		sqlite: SQLiteOptions &default = SQLiteOptions();
 		rocksdb: RocksDBOptions &default = RocksDBOptions();
diff --git a/src/Trigger.h b/src/Trigger.h
index 7662901dc5..3af9ddf1b0 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -55,6 +55,8 @@ public:
 	// may not immediately delete it as other references may still exist.
 	void Disable();
 
+	bool Disabled() const { return disabled; }
+
 	virtual void Describe(ODesc* d) const { d->Add("<trigger>"); }
 
 	// Overidden from Notifier.  We queue the trigger and evaluate it
diff --git a/src/comm/Data.h b/src/comm/Data.h
index ed3c16f677..ef7b15110d 100644
--- a/src/comm/Data.h
+++ b/src/comm/Data.h
@@ -15,18 +15,53 @@ extern OpaqueType* opaque_of_table_iterator;
 extern OpaqueType* opaque_of_vector_iterator;
 extern OpaqueType* opaque_of_record_iterator;
 
+/**
+ * Convert a broker port protocol to a bro port protocol.
+ */
 TransportProto to_bro_port_proto(broker::port::protocol tp);
 
+/**
+ * Create a Comm::Data value from a Bro value.
+ * @param v the Bro value to convert to a Broker data value.
+ * @return a Comm::Data value, where the optional field is set if the conversion
+ * was possible, else it is unset.
+ */
 RecordVal* make_data_val(Val* v);
 
+/**
+ * Create a Comm::Data value from a Broker data value.
+ * @param d the Broker value to wrap in an opaque type.
+ * @return a Comm::Data value that wraps the Broker value.
+ */
 RecordVal* make_data_val(broker::data d);
 
+/**
+ * Get the type of Broker data that Comm::Data wraps.
+ * @param v a Comm::Data value.
+ * @param frame used to get location info upon error.
+ * @return a Comm::DataType value.
+ */
 EnumVal* get_data_type(RecordVal* v, Frame* frame);
 
+/**
+ * Convert a Bro value to a Broker data value.
+ * @param v a Bro value.
+ * @return a Broker data value if the Bro value could be converted to one.
+ */
 broker::util::optional<broker::data> val_to_data(Val* v);
 
+/**
+ * Convert a Broker data value to a Bro value.
+ * @param d a Broker data value.
+ * @param type the expected type of the value to return.
+ * @return a pointer to a new Bro value or a nullptr if the conversion was not
+ * possible.
+ */
 Val* data_to_val(broker::data d, BroType* type);
 
+/**
+ * A Bro value which wraps a Broker data value.
+ */
 class DataVal : public OpaqueVal {
 public:
 
@@ -51,6 +86,9 @@ protected:
 		{}
 };
 
+/**
+ * Visitor for retrieving type names a Broker data value.
+ */
 struct type_name_getter {
 	using result_type = const char*;
 
@@ -100,8 +138,25 @@ struct type_name_getter {
 		{ return "record"; }
 };
 
+/**
+ * Retrieve Broker data value associated with a Comm::Data Bro value.
+ * @param v a Comm::Data value.
+ * @param f used to get location information on error.
+ * @return a reference to the wrapped Broker data value.  A runtime interpreter
+ * exception is thrown if the the optional opaque value of \a v is not set.
+ */
 broker::data& opaque_field_to_data(RecordVal* v, Frame* f);
 
+/**
+ * Retrieve variant data from a Broker data value.
+ * @tparam T a type that the variant may contain.
+ * @param d a Broker data value to get variant data out of.
+ * @param tag a Bro tag which corresponds to T (just used for error reporting).
+ * @param f used to get location information on error.
+ * @return a refrence to the requested type in the variant Broker data.
+ * A runtime interpret exception is thrown if trying to access a type which
+ * is not currently stored in the Broker data.
+ */
 template <typename T>
 T& require_data_type(broker::data& d, TypeTag tag, Frame* f)
 	{
@@ -116,12 +171,24 @@ T& require_data_type(broker::data& d, TypeTag tag, Frame* f)
 	return *ptr;
 	}
 
+/**
+ * @see require_data_type() and opaque_field_to_data().
+ */
 template <typename T>
 inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f)
 	{
 	return require_data_type<T>(opaque_field_to_data(v, f), tag, f);
 	}
 
+/**
+ * Convert a Comm::Data Bro value to a Bro value of a given type.
+ * @tparam a type that a Broker data variant may contain.
+ * @param v a Comm::Data value.
+ * @param tag a Bro type to convert to.
+ * @param f used to get location information on error.
+ * A runtime interpret exception is thrown if trying to access a type which
+ * is not currently stored in the Broker data.
+ */
 template <typename T>
 inline Val* refine(RecordVal* v, TypeTag tag, Frame* f)
 	{
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 92b2c167dd..65a7bddbf6 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -41,7 +41,7 @@ static int require_field(RecordType* rt, const char* name)
 	return rval;
 	}
 
-static int GetEndpointFlags(Val* broker_endpoint_flags)
+static int endpoint_flags_to_int(Val* broker_endpoint_flags)
 	{
 	int rval = 0;
 	auto r = broker_endpoint_flags->AsRecordVal();
@@ -111,7 +111,7 @@ bool comm::Manager::Enable(Val* broker_endpoint_flags)
 			name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
 		}
 
-	int flags = GetEndpointFlags(broker_endpoint_flags);
+	int flags = endpoint_flags_to_int(broker_endpoint_flags);
 	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name, flags));
 	iosource_mgr->Register(this, true);
 	return true;
@@ -122,7 +122,7 @@ bool comm::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
 	if ( ! Enabled() )
 		return false;
 
-	int flags = GetEndpointFlags(broker_endpoint_flags);
+	int flags = endpoint_flags_to_int(broker_endpoint_flags);
 	endpoint->set_flags(flags);
 	return true;
 	}
@@ -179,7 +179,8 @@ bool comm::Manager::Print(string topic, string msg, Val* flags)
 	if ( ! Enabled() )
 		return false;
 
-	endpoint->send(move(topic), broker::message{move(msg)}, GetFlags(flags));
+	endpoint->send(move(topic), broker::message{move(msg)},
+	               send_flags_to_int(flags));
 	return true;
 	}
 
@@ -243,7 +244,7 @@ bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags)
 		msg.emplace_back(data_val->data);
 		}
 
-	endpoint->send(move(topic), move(msg), GetFlags(flags));
+	endpoint->send(move(topic), move(msg), send_flags_to_int(flags));
 	return true;
 	}
 
@@ -275,7 +276,7 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 		return false;
 		}
 
-	handler->AutoRemote(move(topic), GetFlags(flags));
+	handler->AutoRemote(move(topic), send_flags_to_int(flags));
 	return true;
 	}
 
@@ -484,7 +485,7 @@ bool comm::Manager::UnadvertiseTopic(broker::topic t)
 	return true;
 	}
 
-int comm::Manager::GetFlags(Val* flags)
+int comm::Manager::send_flags_to_int(Val* flags)
 	{
 	auto r = flags->AsRecordVal();
 	int rval = 0;
@@ -869,6 +870,14 @@ void comm::Manager::Process()
 
 			auto query = *it;
 
+			if ( query->Disabled() )
+				{
+				// Trigger timer must have timed the query out already.
+				delete query;
+				pending_queries.erase(it);
+				continue;
+				}
+
 			switch ( response.reply.stat ) {
 			case broker::store::result::status::timeout:
 				// Fine, trigger's timeout takes care of things.
@@ -885,6 +894,7 @@ void comm::Manager::Process()
 				break;
 			}
 
+			delete query;
 			pending_queries.erase(it);
 			}
 		}
@@ -1006,8 +1016,6 @@ bool comm::Manager::CloseStore(const broker::store::identifier& id,
 
 bool comm::Manager::TrackStoreQuery(StoreQueryCallback* cb)
 	{
-	if ( ! Enabled() )
-		return false;
-
+	assert(Enabled());
 	return pending_queries.insert(cb).second;
 	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index e8a8d5e5b1..bd1236bf34 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -14,73 +14,275 @@
 
 namespace comm {
 
-// TODO: documentation
-
-// Manages various forms of communication between peer Bro processes
-// or possibly between different parts of a single Bro process.
+/**
+ * Manages various forms of communication between peer Bro processes
+ * or other external applications via use of the Broker messaging library.
+ */
 class Manager : public iosource::IOSource {
 friend class StoreHandleVal;
 public:
 
+	/**
+	 * Destructor.  Any still-pending data store queries are aborted.
+	 */
 	~Manager();
 
+	/**
+	 * Enable use of communication.
+	 * @param flags used to tune the local Broker endpoint's behavior.
+	 * See the Comm::EndpointFlags record type.
+	 * @return true if communication is successfully initialized.
+	 */
 	bool Enable(Val* flags);
 
+	/**
+	 * Changes endpoint flags originally supplied to comm::Manager::Enable().
+	 * @param flags the new behavior flags to use.
+	 * @return true if flags were changed.
+	 */
 	bool SetEndpointFlags(Val* flags);
 
+	/**
+	 * @return true if comm::Manager::Enable() has previously been called and
+	 * it succeeded.
+	 */
 	bool Enabled()
 		{ return endpoint != nullptr; }
 
+	/**
+	 * Listen for remote connections.
+	 * @param port the TCP port to listen on.
+	 * @param addr an address string on which to accept connections, e.g.
+	 * "127.0.0.1".  A nullptr refers to @p INADDR_ANY.
+	 * @param reuse_addr equivalent to behavior of SO_REUSEADDR.
+	 * @return true if the local endpoint is now listening for connections.
+	 */
 	bool Listen(uint16_t port, const char* addr = nullptr,
 	            bool reuse_addr = true);
 
+	/**
+	 * Initiate a remote connection.
+	 * @param addr an address to connect to, e.g. "localhost" or "127.0.0.1".
+	 * @param port the TCP port on which the remote side is listening.
+	 * @param retry_interval an interval at which to retry establishing the
+	 * connection with the remote peer.
+	 * @return true if it's possible to try connecting with the peer and
+	 * it's a new peer.  The actual connection may not be established until a
+	 * later point in time.
+	 */
 	bool Connect(std::string addr, uint16_t port,
 	             std::chrono::duration<double> retry_interval);
 
+	/**
+	 * Remove a remote connection.
+	 * @param addr the address used in comm::Manager::Connect().
+	 * @param port the port used in comm::Manager::Connect().
+	 * @return true if the arguments match a previously successful call to
+	 * comm::Manager::Connect().
+	 */
 	bool Disconnect(const std::string& addr, uint16_t port);
 
+	/**
+	 * Print a simple message to any interested peers.
+	 * @param topic a topic string associated with the print message.
+	 * Peers advertise interest by registering a subscription to some prefix
+	 * of this topic name.
+	 * @param msg the string to send to peers.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Comm::SendFlags record type.
+	 * @return true if the message is sent successfully.
+	 */
 	bool Print(std::string topic, std::string msg, Val* flags);
 
+	/**
+	 * Send an event to any interested peers.
+	 * @param topic a topic string associated with the print message.
+	 * Peers advertise interest by registering a subscription to some prefix
+	 * of this topic name.
+	 * @param msg the event to send to peers, which is the name of the event
+	 * as a string followed by all of its arguments.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Comm::SendFlags record type.
+	 * @return true if the message is sent successfully.
+	 */
 	bool Event(std::string topic, broker::message msg, int flags);
+
+	/**
+	 * Send an event to any interested peers.
+	 * @param topic a topic string associated with the print message.
+	 * Peers advertise interest by registering a subscription to some prefix
+	 * of this topic name.
+	 * @param args the event and its arguments to send to peers.  See the
+	 * Comm::EventArgs record type.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Comm::SendFlags record type.
+	 * @return true if the message is sent successfully.
+	 */
 	bool Event(std::string topic, RecordVal* args, Val* flags);
 
+	/**
+	 * Send a log entry to any interested peers.  The topic name used is
+	 * implicitly "bro/log/<stream-name>".
+	 * @param stream_id the stream to which the log entry belongs.
+	 * @param columns the data which comprises the log entry.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Comm::SendFlags record type.
+	 * @return true if the message is sent successfully.
+	 */
 	bool Log(EnumVal* stream_id, RecordVal* columns, int flags);
 
+	/**
+	 * Automatically send an event to any interested peers whenever it is
+	 * locally dispatched (e.g. using "event my_event(...);" in a script).
+	 * @param topic a topic string associated with the event message.
+	 * Peers advertise interest by registering a subscription to some prefix
+	 * of this topic name.
+	 * @param event a Bro event value.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Comm::SendFlags record type.
+	 * @return true if automatic event sending is now enabled.
+	 */
 	bool AutoEvent(std::string topic, Val* event, Val* flags);
 
+	/**
+	 * Stop automatically sending an event to peers upon local dispatch.
+	 * @param topic a topic originally given to comm::Manager::AutoEvent().
+	 * @param event an event originally given to comm::Manager::AutoEvent().
+	 * @return true if automatic events will no occur for the topic/event pair.
+	 */
 	bool AutoEventStop(const std::string& topic, Val* event);
 
+	/**
+	 * Create an EventArgs record value from an event and its arguments.
+	 * @param args the event and its arguments.  The event is always the first
+	 * elements in the list.
+	 * @return an EventArgs record value.  If an invalid event or arguments
+	 * were supplied the optional "name" field will not be set.
+	 */
 	RecordVal* MakeEventArgs(val_list* args);
 
+	/**
+	 * Register interest in peer print messages that use a certain topic prefix.
+	 * @param topic_prefix a prefix to match against remote message topics.
+	 * e.g. an empty prefix will match everything and "a" will match "alice"
+	 * and "amy" but not "bob".
+	 * @return true if it's a new print subscriptions and it is now registered.
+	 */
 	bool SubscribeToPrints(std::string topic_prefix);
 
+	/**
+	 * Unregister interest in peer print messages.
+	 * @param topic_prefix a prefix previously supplied to a successful call
+	 * to comm::Manager::SubscribeToPrints().
+	 * @return true if interest in topic prefix is no longer advertised.
+	 */
 	bool UnsubscribeToPrints(const std::string& topic_prefix);
 
+	/**
+	 * Register interest in peer event messages that use a certain topic prefix.
+	 * @param topic_prefix a prefix to match against remote message topics.
+	 * e.g. an empty prefix will match everything and "a" will match "alice"
+	 * and "amy" but not "bob".
+	 * @return true if it's a new event subscription and it is now registered.
+	 */
 	bool SubscribeToEvents(std::string topic_prefix);
 
+	/**
+	 * Unregister interest in peer event messages.
+	 * @param topic_prefix a prefix previously supplied to a successful call
+	 * to comm::Manager::SubscribeToEvents().
+	 * @return true if interest in topic prefix is no longer advertised.
+	 */
 	bool UnsubscribeToEvents(const std::string& topic_prefix);
 
+	/**
+	 * Register interest in peer log messages that use a certain topic prefix.
+	 * @param topic_prefix a prefix to match against remote message topics.
+	 * e.g. an empty prefix will match everything and "a" will match "alice"
+	 * and "amy" but not "bob".
+	 * @return true if it's a new log subscription and it is now registered.
+	 */
 	bool SubscribeToLogs(std::string topic_prefix);
 
+	/**
+	 * Unregister interest in peer log messages.
+	 * @param topic_prefix a prefix previously supplied to a successful call
+	 * to comm::Manager::SubscribeToLogs().
+	 * @return true if interest in topic prefix is no longer advertised.
+	 */
 	bool UnsubscribeToLogs(const std::string& topic_prefix);
 
+	/**
+	 * Allow sending messages to peers if associated with the given topic.
+	 * This has no effect if auto publication behavior is enabled via the flags
+	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * @param t a topic to allow messages to be published under.
+	 * @return true if successful.
+	 */
 	bool PublishTopic(broker::topic t);
 
+	/**
+	 * Disallow sending messages to peers if associated with the given topic.
+	 * This has no effect if auto publication behavior is enabled via the flags
+	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * @param t a topic to disallow messages to be published under.
+	 * @return true if successful.
+	 */
 	bool UnpublishTopic(broker::topic t);
 
+	/**
+	 * Allow advertising interest in the given topic to peers.
+	 * This has no effect if auto advertise behavior is enabled via the flags
+	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * @param t a topic to allow advertising interest/subscription to peers.
+	 * @return true if successful.
+	 */
 	bool AdvertiseTopic(broker::topic t);
 
+	/**
+	 * Disallow advertising interest in the given topic to peers.
+	 * This has no effect if auto advertise behavior is enabled via the flags
+	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * @param t a topic to disallow advertising interest/subscription to peers.
+	 * @return true if successful.
+	 */
 	bool UnadvertiseTopic(broker::topic t);
 
+	/**
+	 * Register the availability of a data store.
+	 * @param handle the data store.
+	 * @return true if the store was valid and not already away of it.
+	 */
 	bool AddStore(StoreHandleVal* handle);
 
+	/**
+	 * Lookup a data store by it's identifier name and type.
+	 * @param id the store's name.
+	 * @param type the type of data store.
+	 * @return a pointer to the store handle if it exists else nullptr.
+	 */
 	StoreHandleVal* LookupStore(const broker::store::identifier& id, StoreType type);
 
+	/**
+	 * Close and unregister a data store.  Any existing references to the
+	 * store handle will not be able to be used for any data store operations.
+	 * @param id the stores' name.
+	 * @param type the type of the data store.
+	 * @return true if such a store existed and is now closed.
+	 */
 	bool CloseStore(const broker::store::identifier& id, StoreType type);
 
+	/**
+	 * Register a data store query callback.
+	 * @param cb the callback info to use when the query completes or times out.
+	 * @return true if now tracking a data store query.
+	 */
 	bool TrackStoreQuery(StoreQueryCallback* cb);
 
-	static int GetFlags(Val* flags);
+	/**
+	 * Convert Comm::SendFlags to int flags for use with broker::send().
+	 */
+	static int send_flags_to_int(Val* flags);
 
 private:
 
diff --git a/src/comm/Store.cc b/src/comm/Store.cc
index 8c55c31785..5fcc7daa85 100644
--- a/src/comm/Store.cc
+++ b/src/comm/Store.cc
@@ -48,14 +48,9 @@ comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
 #ifdef HAVE_ROCKSDB
 			std::string path = backend_options->Lookup(1)->AsRecordVal()
 			                   ->Lookup(0)->AsStringVal()->CheckString();
-			bool use_merge_op = backend_options->Lookup(1)->AsRecordVal()
-			                    ->Lookup(1)->AsBool();
 			rocksdb::Options rock_op;
 			rock_op.create_if_missing = true;
 
-			if ( use_merge_op )
-				options.merge_operator.reset(new rocksdb_merge_operator);
-
 			auto rocksdb = new broker::store::rocksdb_backend;
 
 			if ( rocksdb->open(path, options).ok() )
diff --git a/src/comm/Store.h b/src/comm/Store.h
index b02c5b4f5b..289290eab4 100644
--- a/src/comm/Store.h
+++ b/src/comm/Store.h
@@ -14,12 +14,21 @@ namespace comm {
 
 extern OpaqueType* opaque_of_store_handle;
 
+/**
+ * Enumerates the possible types of data stores.
+ */
 enum StoreType {
+	// Just a view in to a remote store, contains no data itself.
     FRONTEND,
     MASTER,
     CLONE,
 };
 
+/**
+ * Create a Store::QueryStatus value.
+ * @param success whether the query status should be set to success or failure.
+ * @return a Store::QueryStatus value.
+ */
 inline EnumVal* query_status(bool success)
 	{
 	static EnumType* store_query_status = nullptr;
@@ -36,6 +45,10 @@ inline EnumVal* query_status(bool success)
 	return new EnumVal(success ? success_val : failure_val, store_query_status);
 	}
 
+/**
+ * @return a Store::QueryResult value that has a Store::QueryStatus indicating
+ * a failure.
+ */
 inline RecordVal* query_result()
 	{
 	auto rval = new RecordVal(BifType::Record::Store::QueryResult);
@@ -44,6 +57,11 @@ inline RecordVal* query_result()
 	return rval;
 	}
 
+/**
+ * @param data the result of the query.
+ * @return a Store::QueryResult value that has a Store::QueryStatus indicating
+ * a success.
+ */
 inline RecordVal* query_result(RecordVal* data)
 	{
 	auto rval = new RecordVal(BifType::Record::Store::QueryResult);
@@ -52,6 +70,9 @@ inline RecordVal* query_result(RecordVal* data)
 	return rval;
 	}
 
+/**
+ * Used for asynchronous data store queries which use "when" statements.
+ */
 class StoreQueryCallback {
 public:
 
@@ -84,6 +105,9 @@ public:
 		Unref(result);
 		}
 
+	bool Disabled() const
+		{ return trigger->Disabled(); }
+
 	const broker::store::identifier& StoreID() const
 		{ return store_id; }
 
@@ -98,6 +122,9 @@ private:
 	StoreType store_type;
 };
 
+/**
+ * An opaque handle which wraps a Broker data store.
+ */
 class StoreHandleVal : public OpaqueVal {
 public:
 
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index 1d41b572f6..23e163c748 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -9,50 +9,133 @@ module Comm;
 
 type Comm::EndpointFlags: record;
 
+## Enable use of communication.
+##
+## flags: used to tune the local Broker endpoint behavior.
+##
+## Returns: true if communication is successfully initialized.
 function Comm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool
 	%{
 	return new Val(comm_mgr->Enable(flags), TYPE_BOOL);
 	%}
 
+## Changes endpoint flags originally supplied to :bro:see:`Comm::enable`.
+##
+## flags: the new endpoint behavior flags to use.
+##
+## Returns: true of flags were changed.
 function Comm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool
 	%{
 	return new Val(comm_mgr->SetEndpointFlags(flags), TYPE_BOOL);
 	%}
 
+## Allow sending messages to peers if associated with the given topic.
+## This has no effect if auto publication behavior is enabled via the flags
+## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+##
+## topic: a topic to allow messages to be published under.
+##
+## Returns: true if successful.
 function Comm::publish_topic%(topic: string%): bool
 	%{
 	return new Val(comm_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
+## Disallow sending messages to peers if associated with the given topic.
+## This has no effect if auto publication behavior is enabled via the flags
+## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+##
+## topic: a topic to disallow messages to be published under.
+##
+## Returns: true if successful.
 function Comm::unpublish_topic%(topic: string%): bool
 	%{
 	return new Val(comm_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
+## Allow advertising interest in the given topic to peers.
+## This has no effect if auto advertise behavior is enabled via the flags
+## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+##
+## topic: a topic to allow advertising interest/subscription to peers.
+##
+## Returns: true if successful.
 function Comm::advertise_topic%(topic: string%): bool
 	%{
 	return new Val(comm_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
+## Disallow advertising interest in the given topic to peers.
+## This has no effect if auto advertise behavior is enabled via the flags
+## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+##
+## topic: a topic to disallow advertising interest/subscription to peers.
+##
+## Returns: true if successful.
 function Comm::unadvertise_topic%(topic: string%): bool
 	%{
 	return new Val(comm_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
+## Generated when a connection has been established due to a previous call
+## to :bro:see:`Comm::connect`.
+##
+## peer_address: the address used to connect to the peer.
+##
+## peer_port: the port used to connect to the peer.
+##
+## peer_name: the name by which the peer identified itself.
 event Comm::outgoing_connection_established%(peer_address: string,
                                              peer_port: port,
                                              peer_name: string%);
 
+## Generated when a previously established connection becomes broken.
+## Reconnection will automatically be attempted at a frequency given
+## by the original call to :bro:see:`Comm::connect`.
+##
+## peer_address: the address used to connect to the peer.
+##
+## peer_port: the port used to connect to the peer.
+##
+## .. bro:see:: Comm::outgoing_connection_established
 event Comm::outgoing_connection_broken%(peer_address: string,
                                         peer_port: port%);
 
+## Generated when a connection via :bro:see:`Comm::connect` has failed
+## because the remote side is incompatible.
+##
+## peer_address: the address used to connect to the peer.
+##
+## peer_port: the port used to connect to the peer.
 event Comm::outgoing_connection_incompatible%(peer_address: string,
                                               peer_port: port%);
 
+## Generated when a peer has established a connection with this process
+## as a result of previously performing a :bro:see:`Comm::listen`.
+##
+## peer_name: the name by which the peer identified itself.
 event Comm::incoming_connection_established%(peer_name: string%);
 
+## Generated when a peer that previously established a connection with this
+## process becomes disconnected.
+##
+## peer_name: the name by which the peer identified itself.
+##
+## .. bro:see:: Comm::incoming_connection_established
 event Comm::incoming_connection_broken%(peer_name: string%);
 
+## Listen for remote connections.
+##
+## p: the TCP port to listen on.
+##
+## a: an address string on which to accept connections, e.g.
+##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
+##
+## reuse: equivalent to behavior of SO_REUSEADDR.
+##
+## Returns: true if the local endpoint is now listening for connections.
+##
+## .. bro:see:: Comm::incoming_connection_established
 function Comm::listen%(p: port, a: string &default = "",
 					   reuse: bool &default = T%): bool
 	%{
@@ -67,6 +150,21 @@ function Comm::listen%(p: port, a: string &default = "",
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Initiate a remote connection.
+##
+## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
+##
+## p: the TCP port on which the remote side is listening.
+##
+## retry: an interval at which to retry establishing the
+##        connection with the remote peer if it cannot be made initially, or
+##        if it ever becomes disconnected.
+##
+## Returns: true if it's possible to try connecting with the peer and
+##          it's a new peer.  The actual connection may not be established
+##          a later point in time.
+##
+## .. bro:see:: Comm::outgoing_connection_established
 function Comm::connect%(a: string, p: port, retry: interval%): bool
 	%{
 	if ( ! p->IsTCP() )
@@ -80,6 +178,14 @@ function Comm::connect%(a: string, p: port, retry: interval%): bool
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Remove a remote connection.
+##
+## a: the address used in previous successful call to :bro:see:`Comm::connect`.
+##
+## p: the port used in previous successful call to :bro:see:`Comm::connect`.
+##
+## Returns: true if the arguments match a previously successful call to
+##          :bro:see:`Comm::connect`.
 function Comm::disconnect%(a: string, p: port%): bool
 	%{
 	if ( ! p->IsTCP() )
diff --git a/src/comm/data.bif b/src/comm/data.bif
index 2a78a9229a..7120046920 100644
--- a/src/comm/data.bif
+++ b/src/comm/data.bif
@@ -7,6 +7,8 @@
 
 module Comm;
 
+## Enumerates the possible types that :bro:see:`Comm::Data` may be in terms of
+## Bro data types.
 enum DataType %{
 	BOOL,
 	INT,
@@ -29,36 +31,78 @@ type Comm::Data: record;
 
 type Comm::TableItem: record;
 
+## Convert any Bro value in to communication data.
+##
+## d: any Bro value to attempt to convert (not all types are supported).
+##
+## Returns: the converted communication data which may not set its only
+##          opaque field of the the conversion was not possible (the Bro data
+##          type does not support being converted to communicaiton data).
 function Comm::data%(d: any%): Comm::Data
 	%{
 	return comm::make_data_val(d);
 	%}
 
+## Retrieve the type of data associated with communication data.
+##
+## d: the communication data.
+##
+## Returns: the data type associated with the communication data.
 function Comm::data_type%(d: Comm::Data%): Comm::DataType
 	%{
 	return comm::get_data_type(d->AsRecordVal(), frame);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::BOOL` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_bool%(d: Comm::Data%): bool
 	%{
 	return comm::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::INT` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_int%(d: Comm::Data%): int
 	%{
 	return comm::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::COUNT` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_count%(d: Comm::Data%): count
 	%{
 	return comm::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::DOUBLE` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_double%(d: Comm::Data%): double
 	%{
 	return comm::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::STRING` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_string%(d: Comm::Data%): string
 	%{
 	return new StringVal(comm::require_data_type<std::string>(d->AsRecordVal(),
@@ -66,6 +110,12 @@ function Comm::refine_to_string%(d: Comm::Data%): string
 															  frame));
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::ADDR` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_addr%(d: Comm::Data%): addr
 	%{
 	auto& a = comm::require_data_type<broker::address>(d->AsRecordVal(),
@@ -74,6 +124,12 @@ function Comm::refine_to_addr%(d: Comm::Data%): addr
 	return new AddrVal(IPAddr(*bits));
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::SUBNET` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_subnet%(d: Comm::Data%): subnet
 	%{
 	auto& a = comm::require_data_type<broker::subnet>(d->AsRecordVal(),
@@ -82,6 +138,12 @@ function Comm::refine_to_subnet%(d: Comm::Data%): subnet
 	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::PORT` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_port%(d: Comm::Data%): port
 	%{
 	auto& a = comm::require_data_type<broker::port>(d->AsRecordVal(),
@@ -89,6 +151,12 @@ function Comm::refine_to_port%(d: Comm::Data%): port
 	return new PortVal(a.number(), comm::to_bro_port_proto(a.type()));
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::TIME` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_time%(d: Comm::Data%): time
 	%{
 	auto v = comm::require_data_type<broker::time_point>(d->AsRecordVal(),
@@ -96,6 +164,12 @@ function Comm::refine_to_time%(d: Comm::Data%): time
 	return new Val(v, TYPE_TIME);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::INTERVAL` to
+## an actual Bro value.
+##
+## d: the communication data to convert.
+##
+## Returns: the value retrieved from the communication data.
 function Comm::refine_to_interval%(d: Comm::Data%): interval
 	%{
 	auto v = comm::require_data_type<broker::time_duration>(d->AsRecordVal(),
@@ -103,6 +177,13 @@ function Comm::refine_to_interval%(d: Comm::Data%): interval
 	return new Val(v, TYPE_INTERVAL);
 	%}
 
+## Convert communication data with a type of :bro:see:`Comm::ENUM` to
+## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
+## the name to the actual enum value.
+##
+## d: the communication data to convert.
+##
+## Returns: the enum name retrieved from the communication data.
 function Comm::refine_to_enum_name%(d: Comm::Data%): string
 	%{
 	auto& v = comm::require_data_type<broker::enum_value>(d->AsRecordVal(),
@@ -110,11 +191,17 @@ function Comm::refine_to_enum_name%(d: Comm::Data%): string
 	return new StringVal(v);
 	%}
 
+## Create communication data of type "set".
 function Comm::set_create%(%): Comm::Data
 	%{
 	return comm::make_data_val(broker::set());
 	%}
 
+## Remove all elements within a set.
+##
+## s: the set to clear.
+##
+## Returns: always true.
 function Comm::set_clear%(s: Comm::Data%): bool
 	%{
 	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
@@ -123,6 +210,11 @@ function Comm::set_clear%(s: Comm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Get the number of elements within a set.
+##
+## s: the set to query.
+##
+## Returns: the number of elements in the set.
 function Comm::set_size%(s: Comm::Data%): count
 	%{
 	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
@@ -130,6 +222,13 @@ function Comm::set_size%(s: Comm::Data%): count
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
+## Check if a set contains a particular element.
+##
+## s: the set to query.
+##
+## key: the element to check for existence.
+##
+## Returns: true if the key exists in the set.
 function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool
 	%{
 	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
@@ -138,6 +237,13 @@ function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
+### Insert an element into a set.
+##
+## s: the set to modify.
+##
+## key: the element to insert.
+##
+## Returns: true if the key was inserted, or false if it already existed.
 function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool
 	%{
 	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
@@ -146,6 +252,13 @@ function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool
 	return new Val(v.insert(k).second, TYPE_BOOL);
 	%}
 
+## Remove an element from a set.
+##
+## s: the set to modify.
+##
+## key: the element to remove.
+##
+## Returns: true if the element existed in the set and is now removed.
 function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool
 	%{
 	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
@@ -154,17 +267,36 @@ function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool
 	return new Val(v.erase(k) > 0, TYPE_BOOL);
 	%}
 
+## Create an iterator for a set.  Note that this makes a copy of the set
+## internally to ensure the iterator is always valid.
+##
+## s: the set to iterate over.
+##
+## Returns: an iterator.
 function Comm::set_iterator%(s: Comm::Data%): opaque of Comm::SetIterator
 	%{
 	return new comm::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
+## Check if there are no more elements to iterate over.
+##
+## it: an iterator.
+##
+## Returns: true if there are no more elements to iterator over, i.e.
+##          the iterator is one-past-the-final-element.
 function Comm::set_iterator_last%(it: opaque of Comm::SetIterator%): bool
 	%{
 	auto set_it = static_cast<comm::SetIterator*>(it);
 	return new Val(set_it->it == set_it->dat.end(), TYPE_BOOL);
 	%}
 
+## Advance an iterator.
+##
+## it: an iterator.
+##
+## Returns: true if the iterator, after advancing, still references an element
+##          in the collection.  False if the iterator, after advancing, is
+##          one-past-the-final-element.
 function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool
 	%{
 	auto set_it = static_cast<comm::SetIterator*>(it);
@@ -176,6 +308,11 @@ function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool
 	return new Val(set_it->it != set_it->dat.end(), TYPE_BOOL);
 	%}
 
+## Retrieve the data at an iterator's current position.
+##
+## it: an iterator.
+##
+## Returns: element in the collection that the iterator currently references.
 function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data
 	%{
 	auto set_it = static_cast<comm::SetIterator*>(it);
@@ -193,11 +330,17 @@ function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data
 	return rval;
 	%}
 
+## Create communication data of type "table".
 function Comm::table_create%(%): Comm::Data
 	%{
 	return comm::make_data_val(broker::table());
 	%}
 
+## Remove all elements within a table.
+##
+## t: the table to clear.
+##
+## Returns: always true.
 function Comm::table_clear%(t: Comm::Data%): bool
 	%{
 	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
@@ -206,6 +349,11 @@ function Comm::table_clear%(t: Comm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Get the number of elements within a table.
+##
+## t: the table to query.
+##
+## Returns: the number of elements in the table.
 function Comm::table_size%(t: Comm::Data%): count
 	%{
 	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
@@ -213,6 +361,13 @@ function Comm::table_size%(t: Comm::Data%): count
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
+## Check if a table contains a particular key.
+##
+## t: the table to query.
+##
+## key: the key to check for existence.
+##
+## Returns: true if the key exists in the set.
 function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool
 	%{
 	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
@@ -221,6 +376,16 @@ function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
+## Insert a key-value pair into a table.
+##
+## t: the table to modify.
+##
+## key: the key at which to insert the value.
+##
+## val: the value to insert.
+##
+## Returns: true if the key-value pair was inserted, or false if the key
+##          already existed in the table.
 function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%): Comm::Data
 	%{
 	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
@@ -242,6 +407,14 @@ function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%):
 		}
 	%}
 
+## Remove a key-value pair from a table.
+##
+## t: the table to modify.
+##
+## key: the key to remove from the table.
+##
+## Returns: the value associated with the key.  If the key did not exist, then
+##          the optional field of the returned record is not set.
 function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data
 	%{
 	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
@@ -259,6 +432,14 @@ function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data
 		}
 	%}
 
+## Retrieve a value from a table.
+##
+## t: the table to query.
+##
+## key: the key to lookup.
+##
+## Returns: the value associated with the key.  If the key did not exist, then
+##          the optional field of the returned record is not set.
 function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data
 	%{
 	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
@@ -272,17 +453,36 @@ function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data
 		return comm::make_data_val(it->second);
 	%}
 
+## Create an iterator for a table.  Note that this makes a copy of the table
+## internally to ensure the iterator is always valid.
+##
+## t: the table to iterate over.
+##
+## Returns: an iterator.
 function Comm::table_iterator%(t: Comm::Data%): opaque of Comm::TableIterator
 	%{
 	return new comm::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
+## Check if there are no more elements to iterate over.
+##
+## it: an iterator.
+##
+## Returns: true if there are no more elements to iterator over, i.e.
+##          the iterator is one-past-the-final-element.
 function Comm::table_iterator_last%(it: opaque of Comm::TableIterator%): bool
 	%{
 	auto ti = static_cast<comm::TableIterator*>(it);
 	return new Val(ti->it == ti->dat.end(), TYPE_BOOL);
 	%}
 
+## Advance an iterator.
+##
+## it: an iterator.
+##
+## Returns: true if the iterator, after advancing, still references an element
+##          in the collection.  False if the iterator, after advancing, is
+##          one-past-the-final-element.
 function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool
 	%{
 	auto ti = static_cast<comm::TableIterator*>(it);
@@ -294,6 +494,11 @@ function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool
 	return new Val(ti->it != ti->dat.end(), TYPE_BOOL);
 	%}
 
+## Retrieve the data at an iterator's current position.
+##
+## it: an iterator.
+##
+## Returns: element in the collection that the iterator currently references.
 function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm::TableItem
 	%{
 	auto ti = static_cast<comm::TableIterator*>(it);
@@ -316,11 +521,17 @@ function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm::
 	return rval;
 	%}
 
+## Create communication data of type "vector".
 function Comm::vector_create%(%): Comm::Data
 	%{
 	return comm::make_data_val(broker::vector());
 	%}
 
+## Remove all elements within a vector.
+##
+## v: the vector to clear.
+##
+## Returns: always true.
 function Comm::vector_clear%(v: Comm::Data%): bool
 	%{
 	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
@@ -329,6 +540,11 @@ function Comm::vector_clear%(v: Comm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Get the number of elements within a vector.
+##
+## v: the vector to query.
+##
+## Returns: the number of elements in the vector.
 function Comm::vector_size%(v: Comm::Data%): count
 	%{
 	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
@@ -336,6 +552,17 @@ function Comm::vector_size%(v: Comm::Data%): count
 	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
 	%}
 
+## Insert an element into a vector at a particular position, possibly displacing
+## existing elements (insertion always grows the size of the vector by one).
+##
+## v: the vector to modify.
+##
+## d: the element to insert.
+##
+## idx: the index at which to insert the data.  If it is greater than the
+##      current size of the vector, the element is inserted at the end.
+##
+## Returns: always true.
 function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool
 	%{
 	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
@@ -346,6 +573,16 @@ function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Replace an element in a vector at a particular position.
+##
+## v: the vector to modify.
+##
+## d: the element to insert.
+##
+## idx: the index to replace.
+##
+## Returns: the value that was just evicted.  If the index was larger than any
+##          valid index, the optional field of the returned record is not set.
 function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm::Data
 	%{
 	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
@@ -360,6 +597,14 @@ function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm:
 	return rval;
 	%}
 
+## Remove an element from a vector at a particular position.
+##
+## v: the vector to modify.
+##
+## idx: the index to remove.
+##
+## Returns: the value that was just evicted.  If the index was larger than any
+##          valid index, the optional field of the returned record is not set.
 function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data
 	%{
 	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
@@ -373,6 +618,14 @@ function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data
 	return rval;
 	%}
 
+## Lookup an element in a vector at a particular position.
+##
+## v: the vector to query.
+##
+## idx: the index to lookup.
+##
+## Returns: the value at the index.  If the index was larger than any
+##          valid index, the optional field of the returned record is not set.
 function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data
 	%{
 	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
@@ -384,17 +637,36 @@ function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data
 	return comm::make_data_val(vec[idx]);
 	%}
 
+## Create an iterator for a vector.  Note that this makes a copy of the vector
+## internally to ensure the iterator is always valid.
+##
+## v: the vector to iterate over.
+##
+## Returns: an iterator.
 function Comm::vector_iterator%(v: Comm::Data%): opaque of Comm::VectorIterator
 	%{
 	return new comm::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame);
 	%}
 
+## Check if there are no more elements to iterate over.
+##
+## it: an iterator.
+##
+## Returns: true if there are no more elements to iterator over, i.e.
+##          the iterator is one-past-the-final-element.
 function Comm::vector_iterator_last%(it: opaque of Comm::VectorIterator%): bool
 	%{
 	auto vi = static_cast<comm::VectorIterator*>(it);
 	return new Val(vi->it == vi->dat.end(), TYPE_BOOL);
 	%}
 
+## Advance an iterator.
+##
+## it: an iterator.
+##
+## Returns: true if the iterator, after advancing, still references an element
+##          in the collection.  False if the iterator, after advancing, is
+##          one-past-the-final-element.
 function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool
 	%{
 	auto vi = static_cast<comm::VectorIterator*>(it);
@@ -406,6 +678,11 @@ function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool
 	return new Val(vi->it != vi->dat.end(), TYPE_BOOL);
 	%}
 
+## Retrieve the data at an iterator's current position.
+##
+## it: an iterator.
+##
+## Returns: element in the collection that the iterator currently references.
 function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm::Data
 	%{
 	auto vi = static_cast<comm::VectorIterator*>(it);
@@ -414,7 +691,7 @@ function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm
 	if ( vi->it == vi->dat.end() )
 		{
 		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid table iterator");
+		reporter->Warning("attempt to retrieve value of invalid vector iterator");
 		reporter->PopLocation();
 		return rval;
 		}
@@ -423,11 +700,21 @@ function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm
 	return rval;
 	%}
 
+## Create communication data of type "record".
+##
+## sz: the number of fields in the record.
+##
+## Returns: record data, with all fields uninitialized.
 function Comm::record_create%(sz: count%): Comm::Data
 	%{
 	return comm::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
 	%}
 
+## Get the number of fields within a record.
+##
+## r: the record to query.
+##
+## Returns: the number of fields in the record.
 function Comm::record_size%(r: Comm::Data%): count
 	%{
 	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
@@ -435,6 +722,15 @@ function Comm::record_size%(r: Comm::Data%): count
 	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
 	%}
 
+## Replace a field in a record at a particular position.
+##
+## t: the table to modify.
+##
+## d: the new field value to assign.
+##
+## idx: the index to replace.
+##
+## Returns: false if the index was larger than any valid index, else true.
 function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool
 	%{
 	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
@@ -448,6 +744,15 @@ function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Lookup a field in a record at a particular position.
+##
+## r: the record to query.
+##
+## idx: the index to lookup.
+##
+## Returns: the value at the index.  The optional field of the returned record
+##          may not be set if the field of the record has no value or if the
+##          the index was not valid.
 function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data
 	%{
 	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
@@ -462,17 +767,36 @@ function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data
 	return comm::make_data_val(*v.fields[idx]);
 	%}
 
+## Create an iterator for a record.  Note that this makes a copy of the record
+## internally to ensure the iterator is always valid.
+##
+## r: the record to iterate over.
+##
+## Returns: an iterator.
 function Comm::record_iterator%(r: Comm::Data%): opaque of Comm::RecordIterator
 	%{
 	return new comm::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame);
 	%}
 
+## Check if there are no more elements to iterate over.
+##
+## it: an iterator.
+##
+## Returns: true if there are no more elements to iterator over, i.e.
+##          the iterator is one-past-the-final-element.
 function Comm::record_iterator_last%(it: opaque of Comm::RecordIterator%): bool
 	%{
 	auto ri = static_cast<comm::RecordIterator*>(it);
 	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
+## Advance an iterator.
+##
+## it: an iterator.
+##
+## Returns: true if the iterator, after advancing, still references an element
+##          in the collection.  False if the iterator, after advancing, is
+##          one-past-the-final-element.
 function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool
 	%{
 	auto ri = static_cast<comm::RecordIterator*>(it);
@@ -484,6 +808,11 @@ function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool
 	return new Val(ri->it != ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
+## Retrieve the data at an iterator's current position.
+##
+## it: an iterator.
+##
+## Returns: element in the collection that the iterator currently references.
 function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm::Data
 	%{
 	auto ri = static_cast<comm::RecordIterator*>(it);
diff --git a/src/comm/messaging.bif b/src/comm/messaging.bif
index 26f9497449..fb65c981b2 100644
--- a/src/comm/messaging.bif
+++ b/src/comm/messaging.bif
@@ -14,6 +14,15 @@ type Comm::EventArgs: record;
 
 event Comm::print_handler%(msg: string%);
 
+## Print a simple message to any interested peers.
+##
+## topic: a topic associated with the printed message.
+##
+## msg: the print message to send to peers.
+##
+## flags: tune the behavior of how the message is sent.
+##
+## Returns: true if the message is sent.
 function Comm::print%(topic: string, msg: string,
                       flags: SendFlags &default = SendFlags()%): bool
 	%{
@@ -22,24 +31,53 @@ function Comm::print%(topic: string, msg: string,
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Register interest in all peer print messages that use a certain topic prefix.
+##
+## topic_prefix: a prefix to match against remote message topics.
+##               e.g. an empty prefix matches everything and "a" matches
+##               "alice" and "amy" but not "bob".
+##
+## Returns: true if it's a new print subscription and it is now registered.
 function Comm::subscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Unregister interest in all peer print messages that use a topic prefix.
+##
+## topic_prefix: a prefix previously supplied to a successful call to
+##               :bro:see:`Comm::subscribe_to_prints`.
+##
+## Returns: true if interest in the topic prefix is no longer advertised.
 function Comm::unsubscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Create a data structure that may be used to send a remote event via
+## :bro:see:`Comm::event`.
+##
+## args: an event, followed by a list of argument values that may be used
+##       to call it.
+##
+## Returns: opaque communication data that may be used to send a remote event.
 function Comm::event_args%(...%): Comm::EventArgs
 	%{
 	auto rval = comm_mgr->MakeEventArgs(@ARGS@);
 	return rval;
 	%}
 
+## Send an event to any interested peers.
+##
+## topic: a topic associated with the event message.
+##
+## args: event arguments as made by :bro:see:`Comm::event_args`.
+##
+## flags: tune the behavior of how the message is sent.
+##
+## Returns: true if the message is sent.
 function Comm::event%(topic: string, args: Comm::EventArgs,
                       flags: SendFlags &default = SendFlags()%): bool
 	%{
@@ -48,6 +86,18 @@ function Comm::event%(topic: string, args: Comm::EventArgs,
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Automatically send an event to any interested peers whenever it is
+## locally dispatched (e.g. using "event my_event(...);" in a script).
+##
+## topic: a topic string associated with the event message.
+##        Peers advertise interest by registering a subscription to some prefix
+##        of this topic name.
+##
+## ev: a Bro event value.
+##
+## flags: tune the behavior of how the message is send.
+##
+## Returns: true if automatic event sending is now enabled.
 function Comm::auto_event%(topic: string, ev: any,
                            flags: SendFlags &default = SendFlags()%): bool
 	%{
@@ -55,51 +105,101 @@ function Comm::auto_event%(topic: string, ev: any,
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Stop automatically sending an event to peers upon local dispatch.
+##
+## topic: a topic originally given to :bro:see:`Comm::auto_event`.
+##
+## ev: an event originally given to :bro:see:`Comm::auto_event`.
+##
+## Returns: true if automatic events will no occur for the topic/event pair.
 function Comm::auto_event_stop%(topic: string, ev: any%): bool
 	%{
 	auto rval = comm_mgr->AutoEventStop(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Register interest in all peer event messages that use a certain topic prefix.
+##
+## topic_prefix: a prefix to match against remote message topics.
+##               e.g. an empty prefix matches everything and "a" matches
+##               "alice" and "amy" but not "bob".
+##
+## Returns: true if it's a new event subscription and it is now registered.
 function Comm::subscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Unregister interest in all peer event messages that use a topic prefix.
+##
+## topic_prefix: a prefix previously supplied to a successful call to
+##               :bro:see:`Comm::subscribe_to_events`.
+##
+## Returns: true if interest in the topic prefix is no longer advertised.
 function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Enable remote logs for a given log stream.
+##
+## id: the log stream to enable remote logs for.
+##
+## flags: tune the behavior of how log entry messages are sent.
+##
+## Returns: true if remote logs are enabled for the stream.
 function
 Comm::enable_remote_logs%(id: Log::ID,
                           flags: SendFlags &default = SendFlags()%): bool
 	%{
 	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
-										  comm::Manager::GetFlags(flags));
+	                                   comm::Manager::send_flags_to_int(flags));
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Disable remote logs for a given log stream.
+##
+## id: the log stream to disable remote logs for.
+##
+## Returns: true if remote logs are disabled for the stream.
 function Comm::disable_remote_logs%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Returns: true if remote logs are enabled for the given stream.
 function Comm::remote_logs_enabled%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Register interest in all peer log messages that use a certain topic prefix.
+## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
+## receiving side processes them through the logging framework as usual.
+##
+## topic_prefix: a prefix to match against remote message topics.
+##               e.g. an empty prefix matches everything and "a" matches
+##               "alice" and "amy" but not "bob".
+##
+## Returns: true if it's a new log subscription and it is now registered.
 function Comm::subscribe_to_logs%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->SubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
+## Unregister interest in all peer log messages that use a topic prefix.
+## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
+## receiving side processes them through the logging framework as usual.
+##
+## topic_prefix: a prefix previously supplied to a successful call to
+##               :bro:see:`Comm::subscribe_to_logs`.
+##
+## Returns: true if interest in the topic prefix is no longer advertised.
 function Comm::unsubscribe_to_logs%(topic_prefix: string%): bool
 	%{
 	auto rval = comm_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
diff --git a/src/comm/store.bif b/src/comm/store.bif
index 18e63282e8..6a27c05dcb 100644
--- a/src/comm/store.bif
+++ b/src/comm/store.bif
@@ -16,12 +16,22 @@ type Store::QueryResult: record;
 
 type Store::BackendOptions: record;
 
+## Enumerates the possible storage backends.
 enum BackendType %{
 	MEMORY,
 	SQLITE,
 	ROCKSDB,
 %}
 
+## Create a master data store which contains key-value pairs.
+##
+## id: a unique name for the data store.
+##
+## b: the storage backend to use.
+##
+## options: tunes how some storage backends operate.
+##
+## Returns: a handle to the data store.
 function Store::create_master%(id: string, b: BackendType &default = MEMORY,
                                options: BackendOptions &default = BackendOptions()%): opaque of Store::Handle
 	%{
@@ -42,6 +52,28 @@ function Store::create_master%(id: string, b: BackendType &default = MEMORY,
 	return rval;
 	%}
 
+## Create a clone of a master data store which may live with a remote peer.
+## A clone automatically synchronizes to the master by automatically receiving
+## modifications and applying them locally.  Direct modifications are not
+## possible, they must be sent through the master store, which then
+## automatically broadcasts the changes out to clones.  But queries may be made
+## directly against the local cloned copy, which may be resolved quicker than
+## reaching out to a remote master store.
+##
+## id: the unique name which identifies the master data store.
+##
+## b: the storage backend to use.
+##
+## options: tunes how some storage backends operate.
+##
+## resync: the interval at which to re-attempt synchronizing with the master
+##         store should the connection be lost.  If the clone has not yet
+##         synchronized for the first time, updates and queries queue up until
+##         the synchronization completes.  After, if the connection to the
+##         master store is lost, queries continue to use the clone's version,
+##         but updates will be lost until the master is once again available.
+##
+## Returns: a handle to the data store.
 function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
                               options: BackendOptions &default = BackendOptions(),
                               resync: interval &default = 1sec%): opaque of Store::Handle
@@ -64,6 +96,12 @@ function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
 	return rval;
 	%}
 
+## Create a frontend interface to an existing master data store that allows
+## querying and updating its contents.
+##
+## id: the unique name which identifies the master data store.
+##
+## Returns: a handle to the data store.
 function Store::create_frontend%(id: string%): opaque of Store::Handle
 	%{
 	auto id_str = id->CheckString();
@@ -81,6 +119,12 @@ function Store::create_frontend%(id: string%): opaque of Store::Handle
 	return rval;
 	%}
 
+## Close a data store.
+##
+## h: a data store handle.
+##
+## Returns: true if store was valid and is now closed.  The handle can no
+##          longer be used for data store operations.
 function Store::close_by_handle%(h: opaque of Store::Handle%): bool
 	%{
 	auto handle = static_cast<comm::StoreHandleVal*>(h);
@@ -96,6 +140,17 @@ function Store::close_by_handle%(h: opaque of Store::Handle%): bool
 # non-blocking update API #
 ###########################
 
+## Insert a key-value pair in to the store.
+##
+## h: the handle of the store to modify.
+##
+## k: the key to insert.
+##
+## v: the value to insert.
+##
+## e: the expiration time of the key-value pair.
+##
+## Returns: false if the store handle was not valid.
 function Store::insert%(h: opaque of Store::Handle,
                         k: Comm::Data, v: Comm::Data,
                         e: Store::ExpiryTime &default = Store::ExpiryTime()%): bool
@@ -134,6 +189,13 @@ function Store::insert%(h: opaque of Store::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Remove a key-value pair from the store.
+##
+## h: the handle of the store to modify.
+##
+## k: the key to remove.
+##
+## Returns: false if the store handle was not valid.
 function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool
 	%{
 	auto handle = static_cast<comm::StoreHandleVal*>(h);
@@ -146,6 +208,11 @@ function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Remove all key-value pairs from the store.
+##
+## h: the handle of the store to modify.
+##
+## Returns: false if the store handle was not valid.
 function Store::clear%(h: opaque of Store::Handle%): bool
 	%{
 	auto handle = static_cast<comm::StoreHandleVal*>(h);
@@ -157,6 +224,16 @@ function Store::clear%(h: opaque of Store::Handle%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Increment an integer value in a data store.
+##
+## h: the handle of the store to modify.
+##
+## k: the key whose associated value is to be modified.
+##
+## by: the amount to increment the value by.  A non-existent key will first
+##     create it with an implicit value of zero before incrementing.
+##
+## Returns: false if the store handle was not valid.
 function Store::increment%(h: opaque of Store::Handle,
                            k: Comm::Data, by: int &default = +1%): bool
 	%{
@@ -170,6 +247,16 @@ function Store::increment%(h: opaque of Store::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Decrement an integer value in a data store.
+##
+## h: the handle of the store to modify.
+##
+## k: the key whose associated value is to be modified.
+##
+## by: the amount to decrement the value by.  A non-existent key will first
+##     create it with an implicit value of zero before decrementing.
+##
+## Returns: false if the store handle was not valid.
 function Store::decrement%(h: opaque of Store::Handle,
                            k: Comm::Data, by: int &default = +1%): bool
 	%{
@@ -183,6 +270,16 @@ function Store::decrement%(h: opaque of Store::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Add an element to a set value in a data store.
+##
+## h: the handle of the store to modify.
+##
+## k: the key whose associated value is to be modified.
+##
+## element: the element to add to the set.  A non-existent key will first
+##          create it with an implicit empty set value before modifying.
+##
+## Returns: false if the store handle was not valid.
 function Store::add_to_set%(h: opaque of Store::Handle,
                             k: Comm::Data, element: Comm::Data%): bool
 	%{
@@ -197,6 +294,16 @@ function Store::add_to_set%(h: opaque of Store::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Remove an element from a set value in a data store.
+##
+## h: the handle of the store to modify.
+##
+## k: the key whose associated value is to be modified.
+##
+## element: the element to remove from the set.  A non-existent key will
+##          implicitly create an empty set value associated with the key.
+##
+## Returns: false if the store handle was not valid.
 function Store::remove_from_set%(h: opaque of Store::Handle,
                                  k: Comm::Data, element: Comm::Data%): bool
 	%{
@@ -211,6 +318,16 @@ function Store::remove_from_set%(h: opaque of Store::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Add a new item to the head of a vector value in a data store.
+##
+## h: the handle of store to modify.
+##
+## k: the key whose associated value is to be modified.
+##
+## item: the element to insert in to the vector.  A non-existent key will first
+##       create empty vector value before modifying.
+##
+## Returns: the handle of store to modify.
 function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data,
                            items: Comm::DataVector%): bool
 	%{
@@ -234,6 +351,16 @@ function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data,
 	return new Val(true, TYPE_BOOL);
 	%}
 
+## Add a new item to the tail of a vector value in a data store.
+##
+## h: the handle of store to modify.
+##
+## k: the key whose associated value is to be modified.
+##
+## item: the element to insert in to the vector.  A non-existent key will first
+##       create empty vector value before modifying.
+##
+## Returns: the handle of store to modify.
 function Store::push_right%(h: opaque of Store::Handle, k: Comm::Data,
                             items: Comm::DataVector%): bool
 	%{
@@ -297,20 +424,23 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
     *cb = new comm::StoreQueryCallback(trigger, frame->GetCall(),
                                        (*handle)->store->id(),
                                        (*handle)->store_type);
-    comm_mgr->TrackStoreQuery(*cb);
+	comm_mgr->TrackStoreQuery(*cb);
     return true;
     }
 
 %%}
 
+## Pop the head of a data store vector value.
+##
+## h: the handle of the store to query.
+##
+## k: the key associated with the vector to modify.
+##
+## Returns: the result of the query.
 function Store::pop_left%(h: opaque of Store::Handle,
                           k: Comm::Data%): Store::QueryResult
 	%{
-	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
-
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! comm_mgr->Enabled() )
 		return comm::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
@@ -318,19 +448,29 @@ function Store::pop_left%(h: opaque of Store::Handle,
 	if ( ! key )
 		return comm::query_result();
 
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
 	handle->store->pop_left(static_cast<comm::DataVal*>(key)->data,
 	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
+## Pop the tail of a data store vector value.
+##
+## h: the handle of the store to query.
+##
+## k: the key associated with the vector to modify.
+##
+## Returns: the result of the query.
 function Store::pop_right%(h: opaque of Store::Handle,
                            k: Comm::Data%): Store::QueryResult
 	%{
-	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
-
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! comm_mgr->Enabled() )
 		return comm::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
@@ -338,19 +478,29 @@ function Store::pop_right%(h: opaque of Store::Handle,
 	if ( ! key )
 		return comm::query_result();
 
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
 	handle->store->pop_right(static_cast<comm::DataVal*>(key)->data,
 	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
+## Lookup the value associated with a key in a data store.
+##
+## h: the handle of the store to query.
+##
+## k: the key to lookup.
+##
+## Returns: the result of the query.
 function Store::lookup%(h: opaque of Store::Handle,
                        k: Comm::Data%): Store::QueryResult
 	%{
-	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
-
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! comm_mgr->Enabled() )
 		return comm::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
@@ -358,19 +508,29 @@ function Store::lookup%(h: opaque of Store::Handle,
 	if ( ! key )
 		return comm::query_result();
 
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
 	handle->store->lookup(static_cast<comm::DataVal*>(key)->data,
 	                      std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
+## Check if a data store contains a given key.
+##
+## h: the handle of the store to query.
+##
+## k: the key to check for existence.
+##
+## Returns: the result of the query (uses :bro:see:`Comm::BOOL`).
 function Store::exists%(h: opaque of Store::Handle,
                         k: Comm::Data%): Store::QueryResult
 	%{
-	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
-
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! comm_mgr->Enabled() )
 		return comm::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
@@ -378,11 +538,23 @@ function Store::exists%(h: opaque of Store::Handle,
 	if ( ! key )
 		return comm::query_result();
 
+	double timeout;
+	comm::StoreQueryCallback* cb;
+	comm::StoreHandleVal* handle;
+
+	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+		return comm::query_result();
+
 	handle->store->exists(static_cast<comm::DataVal*>(key)->data,
 	                      std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
+## Retrieve all keys in a data store.
+##
+## h: the handle of the store to query.
+##
+## Returns: the result of the query (uses :bro:see:`Comm::VECTOR`).
 function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult
 	%{
 	double timeout;
@@ -396,8 +568,16 @@ function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult
 	return 0;
 	%}
 
+## Get the number of key-value pairs in a data store.
+##
+## h: the handle of the store to query.
+##
+## Returns: the result of the query (uses :bro:see:`Comm::COUNT`).
 function Store::size%(h: opaque of Store::Handle%): Store::QueryResult
 	%{
+	if ( ! comm_mgr->Enabled() )
+		return comm::query_result();
+
 	double timeout;
 	comm::StoreQueryCallback* cb;
 	comm::StoreHandleVal* handle;
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 8130a1ddd4..5d3372fb9b 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -158,12 +158,30 @@ public:
 	void Terminate();
 
 #ifdef ENABLE_BROKER
+	/**
+	 * Enable remote logs for a given stream.
+	 * @param stream_id the stream to enable remote logs for.
+	 * @param flags tune behavior of how log entries are sent to peer endpoints.
+	 * @return true if remote logs are enabled.
+	 */
 	bool EnableRemoteLogs(EnumVal* stream_id, int flags);
 
+	/**
+	 * Disable remote logs for a given stream.
+	 * @param stream_id the stream to disable remote logs for.
+	 * @return true if remote logs are disabled.
+	 */
 	bool DisableRemoteLogs(EnumVal* stream_id);
 
+	/**
+	 * @return true if remote logs are enabled for a given stream.
+	 */
 	bool RemoteLogsAreEnabled(EnumVal* stream_id);
 
+	/**
+	 * @return the type which corresponds to the columns in a log entry for
+	 * a given log stream.
+	 */
 	RecordType* StreamColumns(EnumVal* stream_id);
 #endif
 

From 9025b425344c150b5c06431b63cf3995c60916bb Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 17 Feb 2015 12:56:36 -0800
Subject: [PATCH 057/109] Updating submodule.

---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 8c37b26823..fa145348ab 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 8c37b26823ada9c77614b2f8f781c11c8fe3d078
+Subproject commit fa145348abe15dcd5f8e52cc96e1fb758c092e36

From 818ba9127f4856f1e83c5e42eba0117adfeafdbe Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 17 Feb 2015 13:59:21 -0800
Subject: [PATCH 058/109] Update submodules.

---
 aux/bro-aux | 2 +-
 cmake       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index fa145348ab..c409d529cf 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit fa145348abe15dcd5f8e52cc96e1fb758c092e36
+Subproject commit c409d529cf0c3fa851d4720914badb04d0c6b7c2
diff --git a/cmake b/cmake
index 9623367210..5e4e3507e2 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 962336721040fdf55a6b264f8bbc84153b54d9a5
+Subproject commit 5e4e3507e280c393778fd55fb0124217067e0078

From 093d4069206b9ae7ced009241cdd8e70aec1c4ec Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 17 Feb 2015 14:03:05 -0800
Subject: [PATCH 059/109] Updating plugin docs to recent changes.

---
 doc/devel/plugins.rst | 97 ++++++++++++++++++++++++-------------------
 1 file changed, 55 insertions(+), 42 deletions(-)

diff --git a/doc/devel/plugins.rst b/doc/devel/plugins.rst
index c703345891..66ffba101f 100644
--- a/doc/devel/plugins.rst
+++ b/doc/devel/plugins.rst
@@ -3,7 +3,7 @@
 Writing Bro Plugins
 ===================
 
-Bro is internally moving to a plugin structure that enables extending
+Bro internally provides plugin API that enables extending
 the system dynamically, without modifying the core code base. That way
 custom code remains self-contained and can be maintained, compiled,
 and installed independently. Currently, plugins can add the following
@@ -42,13 +42,13 @@ certain structure. To get started, Bro's distribution provides a
 helper script ``aux/bro-aux/plugin-support/init-plugin`` that creates
 a skeleton plugin that can then be customized. Let's use that::
 
-    # mkdir rot13-plugin
-    # cd rot13-plugin
-    # init-plugin Demo Rot13
+    # init-plugin ./rot13-plugin Demo Rot13
 
-As you can see the script takes two arguments. The first is a
-namespace the plugin will live in, and the second a descriptive name
-for the plugin itself. Bro uses the combination of the two to identify
+As you can see the script takes three arguments. The first is a
+directory inside which the plugin skeleton will be create; it
+shouldn't exist it. The second is namespace the plugin will live in,
+and the third a descriptive name for the plugin itself relative to the
+namespace. Bro uses the combination of namespace and name to identify
 a plugin. The namespace serves to avoid naming conflicts between
 plugins written by independent developers; pick, e.g., the name of
 your organisation. The namespace ``Bro`` is reserved for functionality
@@ -82,18 +82,22 @@ The syntax of this file is just like any other ``*.bif`` file; we
 won't go into it here.
 
 Now we can already compile our plugin, we just need to tell the
-configure script put in place by ``init-plugin`` where the Bro source
-tree is located (Bro needs to have been built there first)::
+configure script that ``init-plugin`` put in place where the Bro
+source tree is located (Bro needs to have been built there first)::
 
+    # cd rot13-plugin
     # ./configure --bro-dist=/path/to/bro/dist && make
     [... cmake output ...]
 
-Now our ``rot13-plugin`` directory has everything that it needs
-for Bro to recognize it as a dynamic plugin. Once we point Bro to it,
-it will pull it in automatically, as we can check with the ``-N``
+This builds the plugin in a subdirectory ``build/``. In fact, that
+subdirectory *becomes* the plugin: when ``make`` finishes, ``build/``
+has everything it needs for Bro to recognize it as a dynamic plugin.
+
+Let's try that. Once we point Bro to the ``build/`` directory, it will
+pull in our new plugin automatically, as we can check with the ``-N``
 option::
 
-    # export BRO_PLUGIN_PATH=/path/to/rot13-plugin
+    # export BRO_PLUGIN_PATH=/path/to/rot13-plugin/build
     # bro -N
     [...]
     Plugin: Demo::Rot13 - <Insert brief description of plugin> (dynamic, version 1)
@@ -153,24 +157,28 @@ Once we install it, it works again::
 The installed version went into
 ``<bro-install-prefix>/lib/bro/plugins/Demo_Rot13``.
 
-We can distribute the plugin in either source or binary form by using
-the Makefile's ``sdist`` and ``bdist`` target, respectively. Both
-create corrsponding tarballs::
+One can distribute the plugin independently of Bro for others to use.
+To distribute in source form, just remove the ``build/`` (``make
+distclean`` does that) and then tar up the whole ``rot13-plugin/``
+directory. Others then follow the same process as above after
+unpacking. To distribute the plugin in binary form, the build process
+conviniently creates a corresponding tarball in ``build/dist/``. In
+this case, it's called ``Demo_Rot13-0.1.tar.gz``, with the version
+number coming out of the ``VERSION`` file that ``init-plugin`` put
+into place. The binary tarball has everything needed to run the
+plugin, but no further source files. Optionally, one can include
+further files by specifying them in the plugin's ``CMakeLists.txt``
+through the ``bro_plugin_dist_files`` macro; the skeleton does that
+for ``README``, ``VERSION``, ``CHANGES``, and ``COPYING``. To use the
+plugin through the binary tarball, just unpack it and point
+``BRO_PLUGIN_PATH`` there; or copy it into
+``<bro-install-prefix>/lib/bro/plugins/`` directly.
 
-    # make sdist
-    [...]
-    Source distribution in build/sdist/Demo_Rot13.tar.gz
-
-    # make bdist
-    [...]
-    Binary distribution in build/Demo_Rot13-darwin-x86_64.tar.gz
-
-The source archive will contain everything in the plugin directory
-except any generated files. The binary archive will contain anything
-needed to install and run the plugin, i.e., just what ``make install``
-puts into place as well. As the binary distribution is
-platform-dependent, its name includes the OS and architecture the
-plugin was built on.
+Before distributing your plugin, you should edit some of the meta
+files that ``init-plugin`` puts in place. Edit ``README`` and
+``VERSION``, and update ``CHANGES`` when you make changes. Also put a
+license file in place as ``COPYING``; if BSD is fine, you find a
+template in ``COPYING.edit-me``.
 
 Plugin Directory Layout
 =======================
@@ -179,7 +187,7 @@ A plugin's directory needs to follow a set of conventions so that Bro
 (1) recognizes it as a plugin, and (2) knows what to load.  While
 ``init-plugin`` takes care of most of this, the following is the full
 story. We'll use ``<base>`` to represent a plugin's top-level
-directory.
+directory. With the skeleton, ``<base>`` corresponds to ``build/``.
 
 ``<base>/__bro_plugin__``
     A file that marks a directory as containing a Bro plugin. The file
@@ -205,6 +213,8 @@ directory.
     Directory with auto-generated Bro scripts that declare the plugin's
     bif elements. The files here are produced by ``bifcl``.
 
+Any other files in ``<base>`` are ignored by Bro.
+
 By convention, a plugin should put its custom scripts into sub folders
 of ``scripts/``, i.e., ``scripts/<script-namespace>/<script>.bro`` to
 avoid conflicts. As usual, you can then put a ``__load__.bro`` in
@@ -229,15 +239,19 @@ their source directory (after ``make`` and setting Bro's
 install``).
 
 ``make install`` copies over the ``lib`` and ``scripts`` directories,
-as well as the ``__bro_plugin__`` magic file and the ``README`` (which
-you should customize). One can add further CMake ``install`` rules to
-install additional files if needed.
+as well as the ``__bro_plugin__`` magic file and any further
+distribution files specified in ``CMakeLists.txt`` (e.g., README,
+VERSION). You can find a full list of files installed in
+``build/MANIFEST``. Behind the scenes, ``make install`` really just
+copies over the binary tarball in ``build/dist``. 
 
-``init-plugin`` will never overwrite existing files, so it's safe to
-rerun in an existing plugin directory; it only put files in place that
-don't exist yet. That also provides a convenient way to revert a file
-back to what ``init-plugin`` created originally: just delete it and
-rerun.
+``init-plugin`` will never overwrite existing files. If its target
+directory already exists, it will be default decline to do anything.
+You can run it with ``-u`` instead to update an existing plugin,
+however it will never overwrite any existing files; it will only put
+in place files it doesn't find yet. To revert a file back to what
+``init-plugin`` created originally, delete it first and then rerun
+with ``-u``.
 
 Activating a Plugin
 ===================
@@ -375,7 +389,7 @@ Now let's add a custom test that ensures that our bif works
 correctly::
 
     # cd tests
-    # cat >plugin/rot13.bro
+    # cat >rot13/bif-rot13.bro
 
     # @TEST-EXEC: bro %INPUT >output
     # @TEST-EXEC: btest-diff output
@@ -415,7 +429,7 @@ Debugging Plugins
 =================
 
 If your plugin isn't loading as expected, Bro's debugging facilities
-can help to illuminate what's going on. To enable, recompile Bro
+can help illuminate what's going on. To enable, recompile Bro
 with debugging support (``./configure --enable-debug``), and
 afterwards rebuild your plugin as well. If you then run Bro with ``-B
 plugins``, it will produce a file ``debug.log`` that records details
@@ -435,7 +449,6 @@ replaced with a simple dash. Example: If the plugin is called
 output will be recorded to ``debug.log`` if Bro's compiled in debug
 mode.
 
-
 Documenting Plugins
 ===================
 

From 802580b0a795febc58d003c6f495737432a0a14e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 17 Feb 2015 14:47:54 -0800
Subject: [PATCH 060/109] Submodule update.

---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index c409d529cf..931f1cd9b2 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit c409d529cf0c3fa851d4720914badb04d0c6b7c2
+Subproject commit 931f1cd9b21e2d3d92795bc434e4b6592ff39657

From 751b6590b525bb217051ea94a85e3093e5286a10 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 17 Feb 2015 15:34:04 -0800
Subject: [PATCH 061/109] Doc tweak.

---
 aux/bro-aux           |  2 +-
 doc/devel/plugins.rst | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 931f1cd9b2..3c0665fa08 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 931f1cd9b21e2d3d92795bc434e4b6592ff39657
+Subproject commit 3c0665fa08166c6e6b2b030993ab7b7c1b26a213
diff --git a/doc/devel/plugins.rst b/doc/devel/plugins.rst
index 66ffba101f..b10ee764b4 100644
--- a/doc/devel/plugins.rst
+++ b/doc/devel/plugins.rst
@@ -61,7 +61,7 @@ layout is described later. For now, all we need is
 there as follows::
 
     # cat src/rot13.bif
-    module CaesarCipher;
+    module Demo;
 
     function rot13%(s: string%) : string
         %{
@@ -131,12 +131,12 @@ more verbose option ``-NN``::
     # bro -NN
     [...]
     Plugin: Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 1)
-        [Function] CaesarCipher::rot13
+        [Function] Demo::rot13
     [...]
 
 There's our function. Now let's use it::
 
-    # bro -e 'print CaesarCipher::rot13("Hello")'
+    # bro -e 'print Demo::rot13("Hello")'
     Uryyb
 
 It works. We next install the plugin along with Bro itself, so that it
@@ -145,13 +145,13 @@ environment variable. If we first unset the variable, the function
 will no longer be available::
 
     # unset BRO_PLUGIN_PATH
-    # bro -e 'print CaesarCipher::rot13("Hello")'
-    error in <command line>, line 1: unknown identifier CaesarCipher::rot13, at or near "CaesarCipher::rot13"
+    # bro -e 'print Demo::rot13("Hello")'
+    error in <command line>, line 1: unknown identifier Demo::rot13, at or near "Demo::rot13"
 
 Once we install it, it works again::
 
     # make install
-    # bro -e 'print CaesarCipher::rot13("Hello")'
+    # bro -e 'print Demo::rot13("Hello")'
     Uryyb
 
 The installed version went into
@@ -369,7 +369,7 @@ let's get that in place::
     % cat .diag
     == File ===============================
     Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 1.0)
-        [Function] CaesarCipher::rot13
+        [Function] Demo::rot13
 
     == Error ===============================
     test-diff: no baseline found.
@@ -396,7 +396,7 @@ correctly::
 
     event bro_init()
         {
-        print CaesarCipher::rot13("Hello");
+        print Demo::rot13("Hello");
         }
 
 Check the output::

From 8d19bf6381b882d5818d242b9c1172afab8c2649 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 18 Feb 2015 11:45:45 -0600
Subject: [PATCH 062/109] broker integration: add high-level usage
 documentation

i.e. documentation of the new "comm framework" w/ examples.
---
 aux/broker                                    |   2 +-
 doc/components/broker/README.rst              |   1 +
 doc/components/broker/broker-manual.rst       |   1 +
 doc/components/index.rst                      |   2 +
 doc/frameworks/comm.rst                       | 202 ++++++++++++++++++
 doc/frameworks/comm/connecting-connector.bro  |  19 ++
 doc/frameworks/comm/connecting-listener.bro   |  21 ++
 doc/frameworks/comm/events-connector.bro      |  31 +++
 doc/frameworks/comm/events-listener.bro       |  37 ++++
 doc/frameworks/comm/logs-connector.bro        |  40 ++++
 doc/frameworks/comm/logs-listener.bro         |  25 +++
 doc/frameworks/comm/printing-connector.bro    |  26 +++
 doc/frameworks/comm/printing-listener.bro     |  26 +++
 doc/frameworks/comm/stores-connector.bro      |  53 +++++
 doc/frameworks/comm/stores-listener.bro       |  43 ++++
 doc/frameworks/comm/testlog.bro               |  19 ++
 doc/frameworks/index.rst                      |   2 +-
 src/comm/messaging.bif                        |   6 +-
 testing/btest/comm/clone_store.bro            |   2 +-
 testing/btest/comm/remote_event.test          |   2 +-
 testing/btest/comm/remote_log.test            |   2 +-
 ...eworks_comm_connecting-connector_bro.btest |  23 ++
 ...meworks_comm_connecting-listener_bro.btest |  25 +++
 ...frameworks_comm_events-connector_bro.btest |  35 +++
 ..._frameworks_comm_events-listener_bro.btest |  41 ++++
 ...c_frameworks_comm_logs-connector_bro.btest |  44 ++++
 ...oc_frameworks_comm_logs-listener_bro.btest |  29 +++
 ...ameworks_comm_printing-connector_bro.btest |  30 +++
 ...rameworks_comm_printing-listener_bro.btest |  30 +++
 ...frameworks_comm_stores-connector_bro.btest |  57 +++++
 ..._frameworks_comm_stores-listener_bro.btest |  47 ++++
 ...lude-doc_frameworks_comm_testlog_bro.btest |  23 ++
 ...testing_btest_comm_remote_print_test.btest |  87 ++++++++
 33 files changed, 1027 insertions(+), 6 deletions(-)
 create mode 120000 doc/components/broker/README.rst
 create mode 120000 doc/components/broker/broker-manual.rst
 create mode 100644 doc/frameworks/comm.rst
 create mode 100644 doc/frameworks/comm/connecting-connector.bro
 create mode 100644 doc/frameworks/comm/connecting-listener.bro
 create mode 100644 doc/frameworks/comm/events-connector.bro
 create mode 100644 doc/frameworks/comm/events-listener.bro
 create mode 100644 doc/frameworks/comm/logs-connector.bro
 create mode 100644 doc/frameworks/comm/logs-listener.bro
 create mode 100644 doc/frameworks/comm/printing-connector.bro
 create mode 100644 doc/frameworks/comm/printing-listener.bro
 create mode 100644 doc/frameworks/comm/stores-connector.bro
 create mode 100644 doc/frameworks/comm/stores-listener.bro
 create mode 100644 doc/frameworks/comm/testlog.bro
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
 create mode 100644 testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest

diff --git a/aux/broker b/aux/broker
index 0767494b9f..397c2ac880 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 0767494b9f11fabd464cd95c125d5987b6d52858
+Subproject commit 397c2ac8805ce8263d59180bdb08d8f602108aa7
diff --git a/doc/components/broker/README.rst b/doc/components/broker/README.rst
new file mode 120000
index 0000000000..eafa3b8e77
--- /dev/null
+++ b/doc/components/broker/README.rst
@@ -0,0 +1 @@
+../../../aux/broker/README
\ No newline at end of file
diff --git a/doc/components/broker/broker-manual.rst b/doc/components/broker/broker-manual.rst
new file mode 120000
index 0000000000..90bf8f0833
--- /dev/null
+++ b/doc/components/broker/broker-manual.rst
@@ -0,0 +1 @@
+../../../aux/broker/broker-manual.rst
\ No newline at end of file
diff --git a/doc/components/index.rst b/doc/components/index.rst
index fe05f13683..c1feda4a61 100644
--- a/doc/components/index.rst
+++ b/doc/components/index.rst
@@ -17,6 +17,8 @@ current, independent component releases.
    Broccoli - User Manual <broccoli/broccoli-manual>
    Broccoli Python Bindings <broccoli-python/README>
    Broccoli Ruby Bindings <broccoli-ruby/README>
+   Broker - Bro's (New) Messaging Library (README) <broker/README>
+   Broker - User Manual <broker/broker-manual.rst>
    BroControl - Interactive Bro management shell <broctl/README>
    Bro-Aux - Small auxiliary tools for Bro <bro-aux/README>
    BTest - A unit testing framework <btest/README>
diff --git a/doc/frameworks/comm.rst b/doc/frameworks/comm.rst
new file mode 100644
index 0000000000..38f1f5b644
--- /dev/null
+++ b/doc/frameworks/comm.rst
@@ -0,0 +1,202 @@
+
+.. _comm-framework:
+
+======================================
+Broker-Enabled Communication Framework
+======================================
+
+.. rst-class:: opening
+
+    Bro can now use the `Broker Library
+    <../components/broker/README.html>`_ to exchange information with
+    other Bro processes.  To enable it run Bro's ``configure`` script
+    with the ``--enable-broker`` option.  Note that a C++11 compatible
+    compiler is required as well as the `C++ Actor Framework
+    <http://actor-framework.org/>`_.
+
+.. contents::
+
+Connecting to Peers
+===================
+
+Communication via Broker must first be turned on via
+:bro:see:`Comm::enable`.
+
+Bro can accept incoming connections by calling :bro:see:`Comm::listen`
+and then monitor connection status updates via
+:bro:see:`Comm::incoming_connection_established` and
+:bro:see:`Comm::incoming_connection_broken`.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-listener.bro
+
+Bro can initiate outgoing connections by calling :bro:see:`Comm::connect`
+and then monitor connection status updates via
+:bro:see:`Comm::outgoing_connection_established`,
+:bro:see:`Comm::outgoing_connection_broken`, and
+:bro:see:`Comm::outgoing_connection_incompatible`.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-connector.bro
+
+Remote Printing
+===============
+
+To receive remote print messages, first use
+:bro:see:`Comm::subscribe_to_prints` to advertise to peers a topic
+prefix of interest and then create an event handler for
+:bro:see:`Comm::print_handler` to handle any print messages that are
+received.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-listener.bro
+
+To send remote print messages, just call :bro:see:`Comm::print`.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-connector.bro
+
+Notice that the subscriber only used the prefix "bro/print/", but is
+able to receive messages with full topics of "bro/print/hi",
+"bro/print/stuff", and "bro/print/bye".  The model here is that the
+publisher of a message checks for all subscribers who advertised
+interest in a prefix of that message's topic and sends it to them.
+
+Message Format
+--------------
+
+For other applications that want to exchange print messages with Bro,
+the Broker message format is simply:
+
+.. code:: c++
+
+    broker::message{std::string{}};
+
+Remote Events
+=============
+
+Receiving remote events is similar to remote prints.  Just use
+:bro:see:`Comm::subscribe_to_events` and possibly define any new events
+along with handlers that peers may want to send.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/events-listener.bro
+
+To send events, there are two choices.  The first is to use call
+:bro:see:`Comm::event` directly.  The second option is to use
+:bro:see:`Comm::auto_event` to make it so a particular event is
+automatically sent to peers whenever it is called locally via the normal
+event invocation syntax.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/events-connector.bro
+
+Again, the subscription model is prefix-based.
+
+Message Format
+--------------
+
+For other applications that want to exchange event messages with Bro,
+the Broker message format is:
+
+.. code:: c++
+
+    broker::message{std::string{}, ...};
+
+The first parameter is the name of the event and the remaining ``...``
+are its arguments, which are any of the support Broker data types as
+they correspond to the Bro types for the event named in the first
+parameter of the message.
+
+Remote Logging
+==============
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/testlog.bro
+
+Use :bro:see:`Comm::subscribe_to_logs` to advertise interest in logs
+written by peers.  The topic names that Bro uses are implicitly of the
+form "bro/log/<stream-name>".
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-listener.bro
+
+To send remote logs either use :bro:see:`Log::enable_remote_logging` or
+:bro:see:`Comm::enable_remote_logs`.  The former allows any log stream
+to be sent to peers while the later toggles remote logging for
+particular streams.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-connector.bro
+
+Message Format
+--------------
+
+For other applications that want to exchange logs messages with Bro,
+the Broker message format is:
+
+.. code:: c++
+
+    broker::message{broker::enum_value{}, broker::record{}};
+
+The enum value corresponds to the stream's :bro:see:`Log::ID` value, and
+the record corresponds to a single entry of that log's columns record,
+in this case a ``Test::INFO`` value.
+
+Tuning Access Control
+=====================
+
+By default, endpoints do not restrict the message topics that it sends
+to peers and do not restrict what message topics and data store
+identifiers get advertised to peers.  These are the default
+:bro:see:`Comm::EndpointFlags` supplied to :bro:see:`Comm::enable`.
+
+If not using the ``auto_publish`` flag, one can use the
+:bro:see:`Comm::publish_topic` and :bro:see:`Comm::unpublish_topic`
+functions to manipulate the set of message topics (must match exactly)
+that are allowed to be sent to peer endpoints.  These settings take
+precedence over the per-message ``peers`` flag supplied to functions
+that take a :bro:see:`Comm::SendFlags` such as :bro:see:`Comm::print`,
+:bro:see:`Comm::event`, :bro:see:`Comm::auto_event` or
+:bro:see:`Comm::enable_remote_logs`.
+
+If not using the ``auto_advertise`` flag, one can use the
+:bro:see:`Comm::advertise_topic` and :bro:see:`Comm::unadvertise_topic`
+to manupulate the set of topic prefixes that are allowed to be
+advertised to peers.  If an endpoint does not advertise a topic prefix,
+the only way a peers can send messages to it is via the ``unsolicited``
+flag of :bro:see:`Comm::SendFlags`  and choosing a topic with a matching
+prefix (i.e. full topic may be longer than receivers prefix, just the
+prefix needs to match).
+
+Distributed Data Stores
+=======================
+
+There are three flavors of key-value data store interfaces: master,
+clone, and frontend.
+
+A frontend is the common interface to query and modify data stores.
+That is, a clone is a specific type of frontend and a master is also a
+specific type of frontend, but a standalone frontend can also exist to
+e.g. query and modify the contents of a remote master store without
+actually "owning" any of the contents itself.
+
+A master data store can be be cloned from remote peers which may then
+perform lightweight, local queries against the clone, which
+automatically stays synchronized with the master store.  Clones cannot
+modify their content directly, instead they send modifications to the
+centralized master store which applies them and then broadcasts them to
+all clones.
+
+Master and clone stores get to choose what type of storage backend to
+use.  E.g. In-memory versus SQLite for persistence.  Note that if clones
+are used, data store sizes should still be able to fit within memory
+regardless of the storage backend as a single snapshot of the master
+store is sent in a single chunk to initialize the clone.
+
+Data stores also support expiration on a per-key basis either using an
+absolute point in time or a relative amount of time since the entry's
+last modification time.
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-listener.bro
+
+.. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-connector.bro
+
+In the above example, if a local copy of the store contents isn't
+needed, just replace the :bro:see:`Store::create_clone` call with
+:bro:see:`Store::create_frontend`.  Queries will then be made against
+the remote master store instead of the local clone.
+
+Note that all queries are made within Bro's asynchrounous ``when``
+statements and must specify a timeout block.
diff --git a/doc/frameworks/comm/connecting-connector.bro b/doc/frameworks/comm/connecting-connector.bro
new file mode 100644
index 0000000000..d5b191ad38
--- /dev/null
+++ b/doc/frameworks/comm/connecting-connector.bro
@@ -0,0 +1,19 @@
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+		  peer_address, peer_port, peer_name;
+	terminate();
+	}
diff --git a/doc/frameworks/comm/connecting-listener.bro b/doc/frameworks/comm/connecting-listener.bro
new file mode 100644
index 0000000000..4e5c3ad86f
--- /dev/null
+++ b/doc/frameworks/comm/connecting-listener.bro
@@ -0,0 +1,21 @@
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Comm::incoming_connection_broken(peer_name: string)
+	{
+	print "Comm::incoming_connection_broken", peer_name;
+	terminate();
+	}
diff --git a/doc/frameworks/comm/events-connector.bro b/doc/frameworks/comm/events-connector.bro
new file mode 100644
index 0000000000..28a94f356e
--- /dev/null
+++ b/doc/frameworks/comm/events-connector.bro
@@ -0,0 +1,31 @@
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	Comm::auto_event("bro/event/my_auto_event", my_auto_event);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0));
+	event my_auto_event("stuff", 88);
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1));
+	event my_auto_event("more stuff", 51);
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2));
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/doc/frameworks/comm/events-listener.bro b/doc/frameworks/comm/events-listener.bro
new file mode 100644
index 0000000000..4d8985d09a
--- /dev/null
+++ b/doc/frameworks/comm/events-listener.bro
@@ -0,0 +1,37 @@
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+global msg_count = 0;
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event my_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_auto_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
diff --git a/doc/frameworks/comm/logs-connector.bro b/doc/frameworks/comm/logs-connector.bro
new file mode 100644
index 0000000000..2c02acb188
--- /dev/null
+++ b/doc/frameworks/comm/logs-connector.bro
@@ -0,0 +1,40 @@
+@load ./testlog
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+redef Log::enable_local_logging = F;
+redef Log::enable_remote_logging = F;
+global n = 0;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::enable_remote_logs(Test::LOG);
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		return;
+
+	Log::write(Test::LOG, [$msg = "ping", $num = n]);
+	++n;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/doc/frameworks/comm/logs-listener.bro b/doc/frameworks/comm/logs-listener.bro
new file mode 100644
index 0000000000..5f763be7ee
--- /dev/null
+++ b/doc/frameworks/comm/logs-listener.bro
@@ -0,0 +1,25 @@
+@load ./testlog
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_logs("bro/log/Test::LOG");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+
+	if ( rec$num == 5 )
+		terminate();
+	}
diff --git a/doc/frameworks/comm/printing-connector.bro b/doc/frameworks/comm/printing-connector.bro
new file mode 100644
index 0000000000..76567dbb97
--- /dev/null
+++ b/doc/frameworks/comm/printing-connector.bro
@@ -0,0 +1,26 @@
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	Comm::print("bro/print/hi", "hello");
+	Comm::print("bro/print/stuff", "...");
+	Comm::print("bro/print/bye", "goodbye");
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/doc/frameworks/comm/printing-listener.bro b/doc/frameworks/comm/printing-listener.bro
new file mode 100644
index 0000000000..9bd3844502
--- /dev/null
+++ b/doc/frameworks/comm/printing-listener.bro
@@ -0,0 +1,26 @@
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+global msg_count = 0;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_prints("bro/print/");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Comm::print_handler(msg: string)
+	{
+	++msg_count;
+	print "got print message", msg;
+
+	if ( msg_count == 3 )
+		terminate();
+	}
diff --git a/doc/frameworks/comm/stores-connector.bro b/doc/frameworks/comm/stores-connector.bro
new file mode 100644
index 0000000000..61e863e835
--- /dev/null
+++ b/doc/frameworks/comm/stores-connector.bro
@@ -0,0 +1,53 @@
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global ready: event();
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	h = Store::create_master("mystore");
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+
+	when ( local res = Store::size(h) )
+		{
+		print "master size", res;
+		event ready();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	Comm::auto_event("bro/event/ready", ready);
+	}
diff --git a/doc/frameworks/comm/stores-listener.bro b/doc/frameworks/comm/stores-listener.bro
new file mode 100644
index 0000000000..89384c2e9d
--- /dev/null
+++ b/doc/frameworks/comm/stores-listener.bro
@@ -0,0 +1,43 @@
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global expected_key_count = 4;
+global key_count = 0;
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		if ( key_count == expected_key_count )
+			terminate();
+		}
+	timeout 10sec
+		{ print "timeout", key; }
+	}
+
+event ready()
+	{
+	h = Store::create_clone("mystore");
+
+	when ( local res = Store::keys(h) )
+		{
+		print "clone keys", res;
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/ready");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
diff --git a/doc/frameworks/comm/testlog.bro b/doc/frameworks/comm/testlog.bro
new file mode 100644
index 0000000000..b5f449ae3d
--- /dev/null
+++ b/doc/frameworks/comm/testlog.bro
@@ -0,0 +1,19 @@
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		num: count &log;
+	};
+
+	global log_test: event(rec: Test::Info);
+}
+
+event bro_init() &priority=5
+	{
+	Comm::enable();
+	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	}
diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst
index f8c681d795..9819b803f0 100644
--- a/doc/frameworks/index.rst
+++ b/doc/frameworks/index.rst
@@ -14,4 +14,4 @@ Frameworks
    notice
    signatures
    sumstats
-
+   comm
diff --git a/src/comm/messaging.bif b/src/comm/messaging.bif
index fb65c981b2..faa22c8126 100644
--- a/src/comm/messaging.bif
+++ b/src/comm/messaging.bif
@@ -12,9 +12,12 @@ type Comm::SendFlags: record;
 
 type Comm::EventArgs: record;
 
+## Used to handle remote print messages from peers that call
+## :bro:see:`Comm::print`.
 event Comm::print_handler%(msg: string%);
 
-## Print a simple message to any interested peers.
+## Print a simple message to any interested peers.  The receiver can use
+## :bro:see:`Comm::print_handler` to handle messages.
 ##
 ## topic: a topic associated with the printed message.
 ##
@@ -32,6 +35,7 @@ function Comm::print%(topic: string, msg: string,
 	%}
 
 ## Register interest in all peer print messages that use a certain topic prefix.
+## use :bro:see:`Comm::print_handler` to handle received messages.
 ##
 ## topic_prefix: a prefix to match against remote message topics.
 ##               e.g. an empty prefix matches everything and "a" matches
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index 5a01a497fd..b4ddabc1e4 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -50,8 +50,8 @@ event ready()
 event bro_init()
 	{
 	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/ready");
+	Comm::listen(broker_port, "127.0.0.1");
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index 31897bea31..8950cb9e1e 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -19,9 +19,9 @@ global auto_event_handler: event(msg: string, c: count);
 event bro_init()
 	{
 	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/");
 	Comm::auto_event("bro/event/my_topic", auto_event_handler);
+	Comm::listen(broker_port, "127.0.0.1");
 	}
 
 global event_count = 0;
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index 42f3f8a594..060a822c5a 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -40,8 +40,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_logs("bro/log/");
+	Comm::listen(broker_port, "127.0.0.1");
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
new file mode 100644
index 0000000000..1921e6596a
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
@@ -0,0 +1,23 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+connecting-connector.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+		  peer_address, peer_port, peer_name;
+	terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
new file mode 100644
index 0000000000..7516680533
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
@@ -0,0 +1,25 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+connecting-listener.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Comm::incoming_connection_broken(peer_name: string)
+	{
+	print "Comm::incoming_connection_broken", peer_name;
+	terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
new file mode 100644
index 0000000000..434e94d977
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
@@ -0,0 +1,35 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+events-connector.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	Comm::auto_event("bro/event/my_auto_event", my_auto_event);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0));
+	event my_auto_event("stuff", 88);
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1));
+	event my_auto_event("more stuff", 51);
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2));
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
new file mode 100644
index 0000000000..a8b7c133ff
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
@@ -0,0 +1,41 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+events-listener.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+global msg_count = 0;
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event my_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_auto_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
new file mode 100644
index 0000000000..ae8c3b4ec5
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
@@ -0,0 +1,44 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+logs-connector.bro
+
+@load ./testlog
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+redef Log::enable_local_logging = F;
+redef Log::enable_remote_logging = F;
+global n = 0;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::enable_remote_logs(Test::LOG);
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		return;
+
+	Log::write(Test::LOG, [$msg = "ping", $num = n]);
+	++n;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
new file mode 100644
index 0000000000..472229ea04
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
@@ -0,0 +1,29 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+logs-listener.bro
+
+@load ./testlog
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_logs("bro/log/Test::LOG");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+
+	if ( rec$num == 5 )
+		terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
new file mode 100644
index 0000000000..b796155c59
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+printing-connector.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	Comm::print("bro/print/hi", "hello");
+	Comm::print("bro/print/stuff", "...");
+	Comm::print("bro/print/bye", "goodbye");
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
new file mode 100644
index 0000000000..de6741d3c4
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+printing-listener.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+global msg_count = 0;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_prints("bro/print/");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Comm::print_handler(msg: string)
+	{
+	++msg_count;
+	print "got print message", msg;
+
+	if ( msg_count == 3 )
+		terminate();
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
new file mode 100644
index 0000000000..c5268417a6
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
@@ -0,0 +1,57 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+stores-connector.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global ready: event();
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	h = Store::create_master("mystore");
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+
+	when ( local res = Store::size(h) )
+		{
+		print "master size", res;
+		event ready();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	Comm::auto_event("bro/event/ready", ready);
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
new file mode 100644
index 0000000000..38dc7ef34f
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
@@ -0,0 +1,47 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+stores-listener.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global expected_key_count = 4;
+global key_count = 0;
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		if ( key_count == expected_key_count )
+			terminate();
+		}
+	timeout 10sec
+		{ print "timeout", key; }
+	}
+
+event ready()
+	{
+	h = Store::create_clone("mystore");
+
+	when ( local res = Store::keys(h) )
+		{
+		print "clone keys", res;
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/ready");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
new file mode 100644
index 0000000000..e37b34c518
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
@@ -0,0 +1,23 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+testlog.bro
+
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		num: count &log;
+	};
+
+	global log_test: event(rec: Test::Info);
+}
+
+event bro_init() &priority=5
+	{
+	Comm::enable();
+	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	}
diff --git a/testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest b/testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest
new file mode 100644
index 0000000000..7bd535a08d
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest
@@ -0,0 +1,87 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+remote_print.test
+
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE recv.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	Comm::subscribe_to_prints("bro/print/");
+	}
+
+global messages_to_recv = 6;
+global messages_sent = 0;
+global messages_recv = 0;
+
+event Comm::print_handler(msg: string)
+	{
+	++messages_recv;
+	print "got print msg", msg;
+
+	if ( messages_to_recv == messages_recv )
+		{
+		terminate();
+		return;
+		}
+
+	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	++messages_sent;
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_prints("bro/print/my_topic");
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	}
+
+global messages_sent = 0;
+global messages_recv = 0;
+global peer_disconnected = F;
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	++messages_sent;
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event Comm::print_handler(msg: string)
+	{
+	++messages_recv;
+	print "got print msg", msg;
+	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	++messages_sent;
+	}
+
+@TEST-END-FILE

From a87b4feaae54e0730b1fee7321b0f8dc2061a622 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 18 Feb 2015 14:53:30 -0600
Subject: [PATCH 063/109] broker integration: add prof.log statistics

---
 src/Stats.cc        |  24 ++++++++
 src/comm/Manager.cc | 130 ++++++++++++++++++++++++++++----------------
 src/comm/Manager.h  |  46 +++++++++++++++-
 3 files changed, 149 insertions(+), 51 deletions(-)

diff --git a/src/Stats.cc b/src/Stats.cc
index 01ca0a41d3..111af52598 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -10,6 +10,10 @@
 #include "Trigger.h"
 #include "threading/Manager.h"
 
+#ifdef ENABLE_BROKER
+#include "comm/Manager.h"
+#endif
+
 int killed_by_inactivity = 0;
 
 uint64 tot_ack_events = 0;
@@ -222,6 +226,26 @@ void ProfileLogger::Log()
 			    ));
 		}
 
+#ifdef ENABLE_BROKER
+	auto cs = comm_mgr->ConsumeStatistics();
+
+	file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu "
+	                "store_queries=%zu store_responses=%zu "
+	                "outgoing_conn_status=%zu incoming_conn_status=%zu "
+	                "reports=%zu\n",
+	                network_time, cs.outgoing_peer_count, cs.data_store_count,
+	                cs.pending_query_count, cs.response_count,
+	                cs.outgoing_conn_status_count, cs.incoming_conn_status_count,
+	                cs.report_count));
+
+	for ( const auto& s : cs.print_count )
+		file->Write(fmt("    %-25s prints dequeued=%zu\n", s.first.data(), s.second));
+	for ( const auto& s : cs.event_count )
+		file->Write(fmt("    %-25s events dequeued=%zu\n", s.first.data(), s.second));
+	for ( const auto& s : cs.log_count )
+		file->Write(fmt("    %-25s logs dequeued=%zu\n", s.first.data(), s.second));
+#endif
+
 	// Script-level state.
 	unsigned int size, mem = 0;
 	PDict(ID)* globals = global_scope()->Vars();
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 65a7bddbf6..b3377bdec2 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -388,7 +388,7 @@ bool comm::Manager::SubscribeToPrints(string topic_prefix)
 	if ( ! Enabled() )
 		return false;
 
-	auto& q = print_subscriptions[topic_prefix];
+	auto& q = print_subscriptions[topic_prefix].q;
 
 	if ( q )
 		return false;
@@ -410,7 +410,7 @@ bool comm::Manager::SubscribeToEvents(string topic_prefix)
 	if ( ! Enabled() )
 		return false;
 
-	auto& q = event_subscriptions[topic_prefix];
+	auto& q = event_subscriptions[topic_prefix].q;
 
 	if ( q )
 		return false;
@@ -432,7 +432,7 @@ bool comm::Manager::SubscribeToLogs(string topic_prefix)
 	if ( ! Enabled() )
 		return false;
 
-	auto& q = log_subscriptions[topic_prefix];
+	auto& q = log_subscriptions[topic_prefix].q;
 
 	if ( q )
 		return false;
@@ -515,13 +515,13 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	read->Insert(endpoint->incoming_connection_status().fd());
 
 	for ( const auto& ps : print_subscriptions )
-		read->Insert(ps.second.fd());
+		read->Insert(ps.second.q.fd());
 
 	for ( const auto& ps : event_subscriptions )
-		read->Insert(ps.second.fd());
+		read->Insert(ps.second.q.fd());
 
 	for ( const auto& ps : log_subscriptions )
-		read->Insert(ps.second.fd());
+		read->Insert(ps.second.q.fd());
 
 	for ( const auto& s : data_stores )
 		read->Insert(s.second->store->responses().fd());
@@ -596,6 +596,9 @@ void comm::Manager::Process()
 	auto incoming_connection_updates =
 	        endpoint->incoming_connection_status().want_pop();
 
+	statistics.outgoing_conn_status_count += outgoing_connection_updates.size();
+	statistics.incoming_conn_status_count += incoming_connection_updates.size();
+
 	for ( auto& u : outgoing_connection_updates )
 		{
 		idle = false;
@@ -674,13 +677,14 @@ void comm::Manager::Process()
 		}
 		}
 
-	for ( const auto& ps : print_subscriptions )
+	for ( auto& ps : print_subscriptions )
 		{
-		auto print_messages = ps.second.want_pop();
+		auto print_messages = ps.second.q.want_pop();
 
 		if ( print_messages.empty() )
 			continue;
 
+		ps.second.received += print_messages.size();
 		idle = false;
 
 		if ( ! Comm::print_handler )
@@ -710,13 +714,14 @@ void comm::Manager::Process()
 			}
 		}
 
-	for ( const auto& es : event_subscriptions )
+	for ( auto& es : event_subscriptions )
 		{
-		auto event_messages = es.second.want_pop();
+		auto event_messages = es.second.q.want_pop();
 
 		if ( event_messages.empty() )
 			continue;
 
+		es.second.received += event_messages.size();
 		idle = false;
 
 		for ( auto& em : event_messages )
@@ -780,13 +785,14 @@ void comm::Manager::Process()
 		Val* val;
 	};
 
-	for ( const auto& ls : log_subscriptions )
+	for ( auto& ls : log_subscriptions )
 		{
-		auto log_messages = ls.second.want_pop();
+		auto log_messages = ls.second.q.want_pop();
 
 		if ( log_messages.empty() )
 			continue;
 
+		ls.second.received += log_messages.size();
 		idle = false;
 
 		for ( auto& lm : log_messages )
@@ -854,6 +860,7 @@ void comm::Manager::Process()
 		if ( responses.empty() )
 			continue;
 
+		statistics.report_count += responses.size();
 		idle = false;
 
 		for ( auto& response : responses )
@@ -900,48 +907,46 @@ void comm::Manager::Process()
 		}
 
 	auto reports = broker::report::default_queue->want_pop();
+	statistics.report_count += reports.size();
 
-	if ( ! reports.empty() )
+	for ( auto& report : reports )
 		{
 		idle = false;
 
-		for ( auto& report : reports )
+		if ( report.size() < 2 )
 			{
-			if ( report.size() < 2 )
-				{
-				reporter->Warning("got broker report msg of size %zu, expect 4",
-				                  report.size());
-				continue;
-				}
-
-			uint64_t* level = broker::get<uint64_t>(report[1]);
-
-			if ( ! level )
-				{
-				reporter->Warning("got broker report msg w/ bad level type: %d",
-				                  static_cast<int>(broker::which(report[1])));
-				continue;
-				}
-
-			auto lvl = static_cast<broker::report::level>(*level);
-
-			switch ( lvl ) {
-			case broker::report::level::debug:
-				DBG_LOG(DBG_BROKER, broker::to_string(report).data());
-				break;
-			case broker::report::level::info:
-				reporter->Info("broker info: %s",
-				               broker::to_string(report).data());
-				break;
-			case broker::report::level::warn:
-				reporter->Warning("broker warning: %s",
-				                  broker::to_string(report).data());
-				break;
-			case broker::report::level::error:
-				reporter->Error("broker error: %s",
-				                broker::to_string(report).data());
-				break;
+			reporter->Warning("got broker report msg of size %zu, expect 4",
+			                  report.size());
+			continue;
 			}
+
+		uint64_t* level = broker::get<uint64_t>(report[1]);
+
+		if ( ! level )
+			{
+			reporter->Warning("got broker report msg w/ bad level type: %d",
+			                  static_cast<int>(broker::which(report[1])));
+			continue;
+			}
+
+		auto lvl = static_cast<broker::report::level>(*level);
+
+		switch ( lvl ) {
+		case broker::report::level::debug:
+			DBG_LOG(DBG_BROKER, broker::to_string(report).data());
+			break;
+		case broker::report::level::info:
+			reporter->Info("broker info: %s",
+			               broker::to_string(report).data());
+			break;
+		case broker::report::level::warn:
+			reporter->Warning("broker warning: %s",
+			                  broker::to_string(report).data());
+			break;
+		case broker::report::level::error:
+			reporter->Error("broker error: %s",
+			                broker::to_string(report).data());
+			break;
 			}
 		}
 
@@ -1019,3 +1024,32 @@ bool comm::Manager::TrackStoreQuery(StoreQueryCallback* cb)
 	assert(Enabled());
 	return pending_queries.insert(cb).second;
 	}
+
+comm::Stats comm::Manager::ConsumeStatistics()
+	{
+	statistics.outgoing_peer_count = peers.size();
+	statistics.data_store_count = data_stores.size();
+	statistics.pending_query_count = pending_queries.size();
+
+	for ( auto& s : print_subscriptions )
+		{
+		statistics.print_count[s.first] = s.second.received;
+		s.second.received = 0;
+		}
+
+	for ( auto& s : event_subscriptions )
+		{
+		statistics.event_count[s.first] = s.second.received;
+		s.second.received = 0;
+		}
+
+	for ( auto& s : log_subscriptions )
+		{
+		statistics.log_count[s.first] = s.second.received;
+		s.second.received = 0;
+		}
+
+	auto rval = move(statistics);
+	statistics = Stats{};
+	return rval;
+	}
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index bd1236bf34..0093c0bd90 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -14,6 +14,34 @@
 
 namespace comm {
 
+/**
+ * Communication statistics.  Some are tracked in relation to last
+ * sample (comm::Manager::ConsumeStatistics()).
+ */
+struct Stats {
+	// Number of outgoing peer connections (at time of sample).
+	size_t outgoing_peer_count = 0;
+	// Number of data stores (at time of sample).
+	size_t data_store_count = 0;
+	// Number of pending data store queries (at time of sample).
+	size_t pending_query_count = 0;
+	// Number of data store responses received (since last sample).
+	size_t response_count = 0;
+	// Number of outgoing connection updates received (since last sample).
+	size_t outgoing_conn_status_count = 0;
+	// Number of incoming connection updates received (since last sample).
+	size_t incoming_conn_status_count = 0;
+	// Number of broker report messages (e.g. debug, warning, errors) received
+	// (since last sample).
+	size_t report_count = 0;
+	// Number of print messages received per topic-prefix (since last sample).
+	std::map<std::string, size_t> print_count;
+	// Number of event messages received per topic-prefix (since last sample).
+	std::map<std::string, size_t> event_count;
+	// Number of log messages received per topic-prefix (since last sample).
+	std::map<std::string, size_t> log_count;
+};
+
 /**
  * Manages various forms of communication between peer Bro processes
  * or other external applications via use of the Broker messaging library.
@@ -279,6 +307,11 @@ public:
 	 */
 	bool TrackStoreQuery(StoreQueryCallback* cb);
 
+	/**
+	 * @return communication statistics.
+	 */
+	Stats ConsumeStatistics();
+
 	/**
 	 * Convert Comm::SendFlags to int flags for use with broker::send().
 	 */
@@ -300,16 +333,23 @@ private:
 	broker::endpoint& Endpoint()
 		{ return *endpoint; }
 
+	struct QueueWithStats {
+		broker::message_queue q;
+		size_t received = 0;
+	};
+
 	std::unique_ptr<broker::endpoint> endpoint;
 	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
-	std::map<std::string, broker::message_queue> print_subscriptions;
-	std::map<std::string, broker::message_queue> event_subscriptions;
-	std::map<std::string, broker::message_queue> log_subscriptions;
+	std::map<std::string, QueueWithStats> print_subscriptions;
+	std::map<std::string, QueueWithStats> event_subscriptions;
+	std::map<std::string, QueueWithStats> log_subscriptions;
 
 	std::map<std::pair<broker::store::identifier, StoreType>,
 	         StoreHandleVal*> data_stores;
 	std::unordered_set<StoreQueryCallback*> pending_queries;
 
+	Stats statistics;
+
 	static VectorType* vector_of_data_type;
 	static EnumType* log_id_type;
 	static int send_flags_self_idx;

From 25aac35af1a01d53dc6d7bdad4b7889c9465de40 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 18 Feb 2015 15:08:22 -0600
Subject: [PATCH 064/109] broker integration: add missing baselines for doc
 tests

---
 .../output                                    | 23 +++++
 .../output                                    | 25 ++++++
 .../output                                    | 35 ++++++++
 .../output                                    | 41 +++++++++
 .../output                                    | 44 ++++++++++
 .../output                                    | 29 +++++++
 .../output                                    | 30 +++++++
 .../output                                    | 30 +++++++
 .../output                                    | 57 ++++++++++++
 .../output                                    | 47 ++++++++++
 .../output                                    | 23 +++++
 ...testing_btest_comm_remote_print_test.btest | 87 -------------------
 12 files changed, 384 insertions(+), 87 deletions(-)
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
 delete mode 100644 testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest

diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
new file mode 100644
index 0000000000..1921e6596a
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
@@ -0,0 +1,23 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+connecting-connector.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+		  peer_address, peer_port, peer_name;
+	terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
new file mode 100644
index 0000000000..7516680533
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
@@ -0,0 +1,25 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+connecting-listener.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Comm::incoming_connection_broken(peer_name: string)
+	{
+	print "Comm::incoming_connection_broken", peer_name;
+	terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
new file mode 100644
index 0000000000..434e94d977
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
@@ -0,0 +1,35 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+events-connector.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	Comm::auto_event("bro/event/my_auto_event", my_auto_event);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0));
+	event my_auto_event("stuff", 88);
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1));
+	event my_auto_event("more stuff", 51);
+	Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2));
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
new file mode 100644
index 0000000000..a8b7c133ff
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
@@ -0,0 +1,41 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+events-listener.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+global msg_count = 0;
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event my_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_auto_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
new file mode 100644
index 0000000000..ae8c3b4ec5
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
@@ -0,0 +1,44 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+logs-connector.bro
+
+@load ./testlog
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+redef Log::enable_local_logging = F;
+redef Log::enable_remote_logging = F;
+global n = 0;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::enable_remote_logs(Test::LOG);
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		return;
+
+	Log::write(Test::LOG, [$msg = "ping", $num = n]);
+	++n;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	event do_write();
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
new file mode 100644
index 0000000000..472229ea04
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
@@ -0,0 +1,29 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+logs-listener.bro
+
+@load ./testlog
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_logs("bro/log/Test::LOG");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+
+	if ( rec$num == 5 )
+		terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
new file mode 100644
index 0000000000..b796155c59
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+printing-connector.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "connector";
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1sec);
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Comm::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
+	Comm::print("bro/print/hi", "hello");
+	Comm::print("bro/print/stuff", "...");
+	Comm::print("bro/print/bye", "goodbye");
+	}
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
new file mode 100644
index 0000000000..de6741d3c4
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+printing-listener.bro
+
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+redef Comm::endpoint_name = "listener";
+global msg_count = 0;
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_prints("bro/print/");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
+
+event Comm::incoming_connection_established(peer_name: string)
+	{
+	print "Comm::incoming_connection_established", peer_name;
+	}
+
+event Comm::print_handler(msg: string)
+	{
+	++msg_count;
+	print "got print message", msg;
+
+	if ( msg_count == 3 )
+		terminate();
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
new file mode 100644
index 0000000000..c5268417a6
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
@@ -0,0 +1,57 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+stores-connector.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+
+function dv(d: Comm::Data): Comm::DataVector
+	{
+	local rval: Comm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global ready: event();
+
+event Comm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event Comm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	h = Store::create_master("mystore");
+	Store::insert(h, Comm::data("one"), Comm::data(110));
+	Store::insert(h, Comm::data("two"), Comm::data(223));
+	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	Store::increment(h, Comm::data("one"));
+	Store::decrement(h, Comm::data("two"));
+	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+
+	when ( local res = Store::size(h) )
+		{
+		print "master size", res;
+		event ready();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::connect("127.0.0.1", broker_port, 1secs);
+	Comm::auto_event("bro/event/ready", ready);
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
new file mode 100644
index 0000000000..38dc7ef34f
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
@@ -0,0 +1,47 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+stores-listener.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of Store::Handle;
+global expected_key_count = 4;
+global key_count = 0;
+
+function do_lookup(key: string)
+	{
+	when ( local res = Store::lookup(h, Comm::data(key)) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		if ( key_count == expected_key_count )
+			terminate();
+		}
+	timeout 10sec
+		{ print "timeout", key; }
+	}
+
+event ready()
+	{
+	h = Store::create_clone("mystore");
+
+	when ( local res = Store::keys(h) )
+		{
+		print "clone keys", res;
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
+		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	Comm::enable();
+	Comm::subscribe_to_events("bro/event/ready");
+	Comm::listen(broker_port, "127.0.0.1");
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
new file mode 100644
index 0000000000..e37b34c518
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
@@ -0,0 +1,23 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+testlog.bro
+
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		num: count &log;
+	};
+
+	global log_test: event(rec: Test::Info);
+}
+
+event bro_init() &priority=5
+	{
+	Comm::enable();
+	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	}
diff --git a/testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest b/testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest
deleted file mode 100644
index 7bd535a08d..0000000000
--- a/testing/btest/doc/sphinx/include-testing_btest_comm_remote_print_test.btest
+++ /dev/null
@@ -1,87 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-remote_print.test
-
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_prints("bro/print/");
-	}
-
-global messages_to_recv = 6;
-global messages_sent = 0;
-global messages_recv = 0;
-
-event Comm::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-
-	if ( messages_to_recv == messages_recv )
-		{
-		terminate();
-		return;
-		}
-
-	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Comm::enable();
-	Comm::subscribe_to_prints("bro/print/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global messages_sent = 0;
-global messages_recv = 0;
-global peer_disconnected = F;
-
-event Comm::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-event Comm::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Comm::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE

From a1d49e791e976002d5997c71ef1a504af7a77f18 Mon Sep 17 00:00:00 2001
From: Mike Smiley <msmiley@alumni.rice.edu>
Date: Wed, 18 Feb 2015 20:41:40 -0500
Subject: [PATCH 065/109] add local_resp to Conn Info

allow user to differentiate between local -> local and local -> remote
connections
---
 scripts/base/protocols/conn/main.bro | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index a904f1b230..1d3e37c691 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -62,6 +62,12 @@ export {
 		## field will be left empty at all times.
 		local_orig:   bool            &log &optional;
 
+		## If the connection is responded to locally, this value will be T.
+		## If it was responded to remotely it will be F.  In the case that
+		## the :bro:id:`Site::local_nets` variable is undefined, this
+		## field will be left empty at all times.
+		local_resp:   bool            &log &optional;
+
 		## Indicates the number of bytes missed in content gaps, which
 		## is representative of packet loss.  A value other than zero
 		## will normally cause protocol analysis to fail but some
@@ -201,7 +207,10 @@ function set_conn(c: connection, eoc: bool)
 		add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
 	c$conn$proto=get_port_transport_proto(c$id$resp_p);
 	if( |Site::local_nets| > 0 )
+		{
 		c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
+		c$conn$local_resp=Site::is_local_addr(c$id$resp_h);
+		}
 
 	if ( eoc )
 		{

From 15fe0abc3fa52a9a4429d933fb23045167330310 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 20 Feb 2015 12:36:42 -0800
Subject: [PATCH 066/109] Updating submodule(s).

 [nomail]
---
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 src/3rdparty | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 3714d3594c..0b713c027d 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 3714d3594ce0d2b8a757c04e6e7d901d6b559915
+Subproject commit 0b713c027d3efaaca50e5df995c02656175573cd
diff --git a/aux/broccoli b/aux/broccoli
index 420c5b42c0..d43cc790e5 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 420c5b42c0c90f22fc7a862fc491c8e554d05381
+Subproject commit d43cc790e5b8709b5e032e52ad0e00936494739b
diff --git a/src/3rdparty b/src/3rdparty
index f2e34d731e..7e15efe9d2 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit f2e34d731ed29bb993fbb065846faa342a8c824f
+Subproject commit 7e15efe9d28d46bfa662fcdd1cbb15ce1db285c9

From d29679484dc78ca01b0bf28f2c8b347f8c97f554 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 20 Feb 2015 13:49:33 -0800
Subject: [PATCH 067/109] Removing dependency on PCAP_NETMASK_UNKNOWN to
 compile with libpcap < 1.1.1.

---
 CHANGES                     |  5 +++++
 VERSION                     |  2 +-
 src/iosource/PktSrc.cc      | 11 ++++++++++-
 src/iosource/PktSrc.h       | 17 ++++++-----------
 src/iosource/pcap/Source.cc |  6 ++++++
 5 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 647a6ec3de..2488227d58 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.3-427 | 2015-02-20 13:49:33 -0800
+
+  * Removing dependency on PCAP_NETMASK_UNKNOWN to compile with
+    libpcap < 1.1.1. (Robin Sommer)
+
 2.3-426 | 2015-02-20 12:45:51 -0800
 
   * Add 'while' statement to Bro language. Really. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 07a0bd75a8..ceb17112a6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-426
+2.3-427
diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index 527dadd393..5612c32e51 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -13,6 +13,15 @@
 
 using namespace iosource;
 
+PktSrc::Properties::Properties()
+	{
+	selectable_fd = -1;
+	link_type = -1;
+	hdr_size = -1;
+	netmask = NETMASK_UNKNOWN;
+	is_live = false;
+	}
+
 PktSrc::PktSrc()
 	{
 	have_packet = false;
@@ -50,7 +59,7 @@ int PktSrc::LinkType() const
 
 uint32 PktSrc::Netmask() const
 	{
-	return IsOpen() ? props.netmask : PCAP_NETMASK_UNKNOWN;
+	return IsOpen() ? props.netmask : NETMASK_UNKNOWN;
 	}
 
 bool PktSrc::IsError() const
diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h
index 7137798129..378ac3f5ee 100644
--- a/src/iosource/PktSrc.h
+++ b/src/iosource/PktSrc.h
@@ -16,6 +16,8 @@ namespace iosource {
  */
 class PktSrc : public IOSource {
 public:
+	static const int NETMASK_UNKNOWN = 0xffffffff;
+
 	/**
 	 * Struct for returning statistics on a packet source.
 	 */
@@ -67,7 +69,7 @@ public:
 
 	/**
 	 * Returns the netmask associated with the source, or \c
-	 * PCAP_NETMASK_UNKNOWN if unknown.
+	 * NETMASK_UNKNOWN if unknown.
 	 */
 	uint32 Netmask() const;
 
@@ -253,8 +255,8 @@ protected:
 		int hdr_size;
 
 		/**
-		 * The netmask associated with the source, or \c
-		 * PCAP_NETMASK_UNKNOWN if unknown.
+		 * Returns the netmask associated with the source, or \c
+		 * NETMASK_UNKNOWN if unknown.
 		 */
 		uint32 netmask;
 
@@ -264,14 +266,7 @@ protected:
 		 */
 		bool is_live;
 
-		Properties()
-			{
-			selectable_fd = -1;
-			link_type = -1;
-			hdr_size = -1;
-			netmask = PCAP_NETMASK_UNKNOWN;
-			is_live = false;
-			}
+		Properties();
 	};
 
 	/**
diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc
index 72b19b2f14..a68f0ca322 100644
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@@ -77,6 +77,12 @@ void PcapSource::OpenLive()
 		props.netmask = 0xffffff00;
 		}
 
+#ifdef PCAP_NETMASK_UNKNOWN
+	// Defined in libpcap >= 1.1.1
+	if ( props.netmask == PCAP_NETMASK_UNKNOWN )
+		props.netmask = PktSrc::NETMASK_UNKNOWN;
+#endif
+
 	// We use the smallest time-out possible to return almost immediately if
 	// no packets are available. (We can't use set_nonblocking() as it's
 	// broken on FreeBSD: even when select() indicates that we can read

From ba8b737f9e0a5deeb86dfa3d622bcd949d1b34f5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 23 Feb 2015 10:21:18 -0600
Subject: [PATCH 068/109] Update broker submodule.

---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 397c2ac880..7645644f52 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 397c2ac8805ce8263d59180bdb08d8f602108aa7
+Subproject commit 7645644f52076176bbc6921a7557e5ed33efc01b

From d63dfb0c6f1b32ce995e8f59b08005ef846e6d79 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 23 Feb 2015 10:43:10 -0800
Subject: [PATCH 069/109] Fix wrong value test in WriterBackend. Found by Aaron
 Eppert (aeppert@gmail.com)

---
 src/logging/WriterBackend.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 35d3137c76..304e946535 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -89,7 +89,7 @@ bool WriterBackend::WriterInfo::Read(SerializationFormat* fmt)
 		string value;
 		string key;
 
-		if ( ! (fmt->Read(&value, "config-value") && fmt->Read(&value, "config-key")) )
+		if ( ! (fmt->Read(&value, "config-value") && fmt->Read(&key, "config-key")) )
 			return false;
 
 		config.insert(std::make_pair(copy_string(value.c_str()), copy_string(key.c_str())));

From ee290c3d7a547045cbf632dc51e0bcb018ce690a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 23 Feb 2015 13:54:44 -0800
Subject: [PATCH 070/109] Crashing bug in WriterBackend when deserializing
 WriterInfo where config is present. Testcase crashes on unpatched versions of
 Bro.

Found by Aaron Eppert <aeppert@gmail.com>.

This (probably) fixes the crash issue with sqlite a few people have
reported on the mailing list in the past.
---
 src/logging/WriterBackend.cc                  |  2 +-
 .../sender.test.failure.log                   |  4 +
 .../sender.test.log                           | 14 +++
 .../sender.test.success.log                   | 11 +++
 .../base/frameworks/logging/remote-config.bro | 94 +++++++++++++++++++
 5 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
 create mode 100644 testing/btest/scripts/base/frameworks/logging/remote-config.bro

diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 304e946535..54eb501ccb 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -84,7 +84,7 @@ bool WriterBackend::WriterInfo::Read(SerializationFormat* fmt)
 
 	config.clear();
 
-	while ( size )
+	while ( size-- )
 		{
 		string value;
 		string key;
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
new file mode 100644
index 0000000000..41b8544db1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
@@ -0,0 +1,4 @@
+t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	US
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
new file mode 100644
index 0000000000..f84ccde80c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
@@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2015-02-23-21-54-13
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	US
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	BR
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	MX
+#close	2015-02-23-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
new file mode 100644
index 0000000000..35f497fd0d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test.success
+#open	2015-02-23-21-54-13
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	BR
+#close	2015-02-23-21-54-13
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-config.bro b/testing/btest/scripts/base/frameworks/logging/remote-config.bro
new file mode 100644
index 0000000000..9fd94acc7d
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/remote-config.bro
@@ -0,0 +1,94 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run sender bro -b --pseudo-realtime %INPUT ../sender.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run receiver bro -b --pseudo-realtime %INPUT ../receiver.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff sender/test.log
+# @TEST-EXEC: btest-diff sender/test.failure.log
+# @TEST-EXEC: btest-diff sender/test.success.log
+# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
+# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
+# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
+# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
+# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
+
+# This is the common part loaded by both sender and receiver.
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
+}
+
+#####
+
+@TEST-START-FILE sender.bro
+
+@load frameworks/communication/listen
+
+module Test;
+
+function fail(rec: Log): bool
+	{
+	return rec$status != "success";
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	local config: table[string] of string;
+	config["tsv"] = "T";
+	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail, $config=config]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+
+	# Log something.
+	Log::write(Test::LOG, r);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	disconnect(p);
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE receiver.bro
+
+#####
+
+@load base/frameworks/communication
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
+};
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE

From 5dea09b7c1bfdedbc3ae0d3ffb66a1524cb996d4 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 23 Feb 2015 15:34:16 -0800
Subject: [PATCH 071/109] Baseline updates for the addition of local_resp.

That patch is a strong contender for the smallest ever ratio of
lines-of-code-changed to lines-of-baselines-updated. :-)
---
 .../btest/Baseline/core.mpls-in-vlan/conn.log | 14 ++--
 .../core.pcap.dynamic-filter/conn.log         | 40 +++++------
 .../core.pcap.read-trace-with-filter/conn.log | 10 +--
 testing/btest/Baseline/core.pppoe/conn.log    | 22 +++---
 .../Baseline/core.print-bpf-filters/conn.log  | 10 +--
 testing/btest/Baseline/core.q-in-q/conn.log   | 12 ++--
 .../core.tcp.large-file-reassembly/conn.log   | 14 ++--
 .../Baseline/core.tcp.miss-end-data/conn.log  | 10 +--
 .../Baseline/core.tunnels.ayiya/conn.log      | 24 +++----
 .../Baseline/core.tunnels.gre-in-gre/conn.log | 14 ++--
 .../btest/Baseline/core.tunnels.gre/conn.log  | 22 +++---
 .../conn.log                                  | 14 ++--
 .../core.tunnels.gtp.false_gtp/conn.log       | 10 +--
 .../core.tunnels.gtp.inner_ipv6/conn.log      | 14 ++--
 .../core.tunnels.gtp.inner_teredo/conn.log    | 42 +++++------
 .../conn.log                                  | 12 ++--
 .../core.tunnels.gtp.opt_header/conn.log      | 12 ++--
 .../core.tunnels.gtp.outer_ip_frag/conn.log   | 12 ++--
 .../Baseline/core.tunnels.teredo/conn.log     | 50 +++++++-------
 .../conn.log                                  | 22 +++---
 .../btest/Baseline/core.vlan-mpls/conn.log    | 14 ++--
 .../btest-doc.sphinx.connection-record-01#1   |  2 +-
 .../btest-doc.sphinx.connection-record-02#1   |  2 +-
 .../btest-doc.sphinx.using_bro#1              | 20 +++---
 testing/btest/Baseline/plugins.hooks/output   | 36 +++++-----
 .../btest/Baseline/plugins.pktsrc/conn.log    | 10 +--
 testing/btest/Baseline/plugins.writer/output  | 16 ++---
 .../out                                       | 68 +++++++++---------
 .../conn.select                               | 68 +++++++++---------
 .../conn.log                                  | 18 ++---
 .../conn.log                                  | 20 +++---
 .../conn.log                                  | 12 ++--
 .../conn.log                                  | 10 +--
 .../scripts.base.protocols.irc.basic/conn.log | 12 ++--
 .../signatures.eval-condition/conn.log        | 18 ++---
 .../base/frameworks/input/sqlite/basic.bro    | 69 ++++++++++---------
 36 files changed, 388 insertions(+), 387 deletions(-)

diff --git a/testing/btest/Baseline/core.mpls-in-vlan/conn.log b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
index 9fc50c0690..da9f14f5ce 100644
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-13
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1371685686.536606	CXWv6p3arKYeMETxOg	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	D	1	257	0	0	(empty)
-1371686961.156859	CjhGID4nQcgTWjvg4c	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	d	0	0	1	1500	(empty)
-1371686961.479321	CCvvfg3TEfuqmmG4bh	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	D	1	710	0	0	(empty)
-#close	2014-04-01-22-56-13
+#open	2015-02-23-21-32-33
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1371685686.536606	CXWv6p3arKYeMETxOg	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	(empty)
+1371686961.156859	CjhGID4nQcgTWjvg4c	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	d	0	0	1	1500	(empty)
+1371686961.479321	CCvvfg3TEfuqmmG4bh	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	(empty)
+#close	2015-02-23-21-32-33
diff --git a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
index f42999c4fa..ad3469d29c 100644
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-08-24-15-51-55
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
-1300475168.853899	CCvvfg3TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	CsRx2w45OKnoww6xl4	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	CRJuHdVW0XPVINV8a	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	CPbrpk1qSsw6ESzHV4	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	C6pKV8GSxOnSLghOa	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	CIPOse170MGiRM1Qf4	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	C7XEbhP654jzLoe3a	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	CJ3xTn1c4Zw9TmAE05	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	CMXxB5GvmoxJFXdTa	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	Caby8b1slFea8xwSmb	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	Che1bq3i2rO3KD1Syg	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	C3SfNE4BWaU4aSuwkc	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	CEle3f3zno26fFZkrh	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	CwSkQu4eWZCH7OONC1	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	0	Dd	1	64	1	226	(empty)
-1300475168.652003	CjhGID4nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	0	D	1	515	0	0	(empty)
-#close	2014-08-24-15-51-55
+#open	2015-02-23-21-32-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
+1300475168.853899	CCvvfg3TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.854378	CsRx2w45OKnoww6xl4	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.854837	CRJuHdVW0XPVINV8a	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.857956	CPbrpk1qSsw6ESzHV4	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.858306	C6pKV8GSxOnSLghOa	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.858713	CIPOse170MGiRM1Qf4	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.891644	C7XEbhP654jzLoe3a	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.892037	CJ3xTn1c4Zw9TmAE05	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.892414	CMXxB5GvmoxJFXdTa	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.893988	Caby8b1slFea8xwSmb	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.894422	Che1bq3i2rO3KD1Syg	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.894787	C3SfNE4BWaU4aSuwkc	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.901749	CEle3f3zno26fFZkrh	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
+1300475168.902195	CwSkQu4eWZCH7OONC1	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
+1300475168.652003	CjhGID4nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	(empty)
+#close	2015-02-23-21-32-35
diff --git a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
index 8522d69ae6..729c1e096a 100644
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-08-23-18-29-48
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1300475168.892936	CXWv6p3arKYeMETxOg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	0	ShADad	6	1468	4	950	(empty)
-#close	2014-08-23-18-29-48
+#open	2015-02-23-21-32-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1300475168.892936	CXWv6p3arKYeMETxOg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
+#close	2015-02-23-21-32-46
diff --git a/testing/btest/Baseline/core.pppoe/conn.log b/testing/btest/Baseline/core.pppoe/conn.log
index 232a84baa0..03bd97c56b 100644
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@@ -3,14 +3,14 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-20
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1284385418.014560	CPbrpk1qSsw6ESzHV4	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	0	D	2	288	0	0	(empty)
-1284385417.962560	CRJuHdVW0XPVINV8a	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	0	D	2	210	0	0	(empty)
-1284385411.091560	CjhGID4nQcgTWjvg4c	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
-1284385411.035560	CXWv6p3arKYeMETxOg	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	0	-	8	608	0	0	(empty)
-1284385451.658560	C6pKV8GSxOnSLghOa	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	0	-	5	500	5	500	(empty)
-1284385413.027560	CsRx2w45OKnoww6xl4	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
-1284385412.963560	CCvvfg3TEfuqmmG4bh	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	48	0	0	(empty)
-#close	2014-04-01-22-56-20
+#open	2015-02-23-21-32-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1284385418.014560	CPbrpk1qSsw6ESzHV4	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	(empty)
+1284385417.962560	CRJuHdVW0XPVINV8a	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	(empty)
+1284385411.091560	CjhGID4nQcgTWjvg4c	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
+1284385411.035560	CXWv6p3arKYeMETxOg	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	(empty)
+1284385451.658560	C6pKV8GSxOnSLghOa	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	(empty)
+1284385413.027560	CsRx2w45OKnoww6xl4	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
+1284385412.963560	CCvvfg3TEfuqmmG4bh	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	(empty)
+#close	2015-02-23-21-32-47
diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log
index 8cc2a0b949..5c28b2acdd 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1278600802.069419	CXWv6p3arKYeMETxOg	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801	(empty)
-#close	2014-04-01-22-56-24
+#open	2015-02-23-21-32-49
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1278600802.069419	CXWv6p3arKYeMETxOg	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+#close	2015-02-23-21-32-49
diff --git a/testing/btest/Baseline/core.q-in-q/conn.log b/testing/btest/Baseline/core.q-in-q/conn.log
index c54ee71e71..842cfda601 100644
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-29
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1363900699.548138	CXWv6p3arKYeMETxOg	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	0	D	2	92	0	0	(empty)
-1363900699.549647	CjhGID4nQcgTWjvg4c	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	0	D	2	608	0	0	(empty)
-#close	2014-04-01-22-56-29
+#open	2015-02-23-21-32-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1363900699.548138	CXWv6p3arKYeMETxOg	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)
+1363900699.549647	CjhGID4nQcgTWjvg4c	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)
+#close	2015-02-23-21-32-51
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
index c76f4dd03b..0df7c34145 100644
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-09-16-44-53
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1395939406.175845	CjhGID4nQcgTWjvg4c	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	0	ShAdfFa	5	272	4	486	(empty)
-1395939411.361078	CCvvfg3TEfuqmmG4bh	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
-1395939399.984671	CXWv6p3arKYeMETxOg	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	0	ShAdDaFf	31	1728	18	1985	(empty)
-#close	2014-04-09-16-44-54
+#open	2015-02-23-21-32-56
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1395939406.175845	CjhGID4nQcgTWjvg4c	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	(empty)
+1395939411.361078	CCvvfg3TEfuqmmG4bh	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
+1395939399.984671	CXWv6p3arKYeMETxOg	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+#close	2015-02-23-21-32-56
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
index 90ad080977..5bd9395e15 100644
--- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-36
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1331764471.664131	CXWv6p3arKYeMETxOg	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	2902	ShADafF	5	750	4	172	(empty)
-#close	2014-04-01-22-56-36
+#open	2015-02-23-21-32-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1331764471.664131	CXWv6p3arKYeMETxOg	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	(empty)
+#close	2015-02-23-21-32-57
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/conn.log b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
index 006406de4d..bf1e8888f7 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/conn.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
@@ -3,15 +3,15 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-43
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1257655301.595604	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	0	ShADad	10	3605	11	5329	CCvvfg3TEfuqmmG4bh
-1257655296.585034	CCvvfg3TEfuqmmG4bh	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	0	Dd	21	5717	13	6473	(empty)
-1257655293.629048	CXWv6p3arKYeMETxOg	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	0	d	0	0	1	176	(empty)
-1257655296.585333	C6pKV8GSxOnSLghOa	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	CCvvfg3TEfuqmmG4bh
-1257655293.629048	CjhGID4nQcgTWjvg4c	2001:4978:f:4c::1	128	2001:4978:f:4c::2	129	icmp	-	23.834987	168	56	OTH	-	0	-	3	312	1	104	CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
-1257655296.585188	CPbrpk1qSsw6ESzHV4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
-1257655296.585151	CRJuHdVW0XPVINV8a	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
-1257655296.585034	CsRx2w45OKnoww6xl4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
-#close	2014-04-01-22-56-43
+#open	2015-02-23-21-33-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1257655301.595604	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	-	0	ShADad	10	3605	11	5329	CCvvfg3TEfuqmmG4bh
+1257655296.585034	CCvvfg3TEfuqmmG4bh	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	(empty)
+1257655293.629048	CXWv6p3arKYeMETxOg	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	d	0	0	1	176	(empty)
+1257655296.585333	C6pKV8GSxOnSLghOa	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CCvvfg3TEfuqmmG4bh
+1257655293.629048	CjhGID4nQcgTWjvg4c	2001:4978:f:4c::1	128	2001:4978:f:4c::2	129	icmp	-	23.834987	168	56	OTH	-	-	0	-	3	312	1	104	CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
+1257655296.585188	CPbrpk1qSsw6ESzHV4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
+1257655296.585151	CRJuHdVW0XPVINV8a	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
+1257655296.585034	CsRx2w45OKnoww6xl4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
+#close	2015-02-23-21-33-02
diff --git a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
index c1e6e708ff..dd0cbbdbc0 100644
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-55
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1341436440.002928	CRJuHdVW0XPVINV8a	3.3.3.2	520	224.0.0.9	520	udp	-	26.148268	48	0	S0	-	0	D	2	104	0	0	CjhGID4nQcgTWjvg4c
-1341436424.378840	CsRx2w45OKnoww6xl4	3.3.3.1	520	224.0.0.9	520	udp	-	28.555457	168	0	S0	-	0	D	2	224	0	0	CjhGID4nQcgTWjvg4c
-1341436424.204043	CCvvfg3TEfuqmmG4bh	10.10.25.1	8	192.168.1.2	0	icmp	-	42.380221	22464	22464	OTH	-	0	-	312	31200	312	31200	CjhGID4nQcgTWjvg4c
-#close	2014-04-01-22-56-55
+#open	2015-02-23-21-33-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1341436440.002928	CRJuHdVW0XPVINV8a	3.3.3.2	520	224.0.0.9	520	udp	-	26.148268	48	0	S0	-	-	0	D	2	104	0	0	CjhGID4nQcgTWjvg4c
+1341436424.378840	CsRx2w45OKnoww6xl4	3.3.3.1	520	224.0.0.9	520	udp	-	28.555457	168	0	S0	-	-	0	D	2	224	0	0	CjhGID4nQcgTWjvg4c
+1341436424.204043	CCvvfg3TEfuqmmG4bh	10.10.25.1	8	192.168.1.2	0	icmp	-	42.380221	22464	22464	OTH	-	-	0	-	312	31200	312	31200	CjhGID4nQcgTWjvg4c
+#close	2015-02-23-21-33-06
diff --git a/testing/btest/Baseline/core.tunnels.gre/conn.log b/testing/btest/Baseline/core.tunnels.gre/conn.log
index 79295e476c..e5a6274f18 100644
--- a/testing/btest/Baseline/core.tunnels.gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre/conn.log
@@ -3,14 +3,14 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-51
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1055289978.756932	CsRx2w45OKnoww6xl4	66.59.111.190	40264	172.28.2.3	22	tcp	ssh	3.157831	952	1671	SF	-	0	ShAdDaFf	12	1584	10	2199	CXWv6p3arKYeMETxOg
-1055289987.055189	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	dns	5.001141	66	0	S0	-	0	D	2	122	0	0	CXWv6p3arKYeMETxOg
-1055289996.849099	CIPOse170MGiRM1Qf4	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
-1055289973.849878	CCvvfg3TEfuqmmG4bh	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
-1055289992.849231	C6pKV8GSxOnSLghOa	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
-1055289968.793044	CjhGID4nQcgTWjvg4c	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	-	0	-	4	336	4	336	CXWv6p3arKYeMETxOg
-1055289987.106744	CPbrpk1qSsw6ESzHV4	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	-	0	-	2	178	0	0	CXWv6p3arKYeMETxOg
-#close	2014-04-01-22-56-51
+#open	2015-02-23-21-33-05
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1055289978.756932	CsRx2w45OKnoww6xl4	66.59.111.190	40264	172.28.2.3	22	tcp	ssh	3.157831	952	1671	SF	-	-	0	ShAdDaFf	12	1584	10	2199	CXWv6p3arKYeMETxOg
+1055289987.055189	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	dns	5.001141	66	0	S0	-	-	0	D	2	122	0	0	CXWv6p3arKYeMETxOg
+1055289996.849099	CIPOse170MGiRM1Qf4	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	-	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
+1055289973.849878	CCvvfg3TEfuqmmG4bh	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	-	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
+1055289992.849231	C6pKV8GSxOnSLghOa	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	-	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
+1055289968.793044	CjhGID4nQcgTWjvg4c	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	-	-	0	-	4	336	4	336	CXWv6p3arKYeMETxOg
+1055289987.106744	CPbrpk1qSsw6ESzHV4	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	-	-	0	-	2	178	0	0	CXWv6p3arKYeMETxOg
+#close	2015-02-23-21-33-05
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
index 064aa5ae2c..1ff9eac253 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-56-58
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458850.321642	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	0	ShADadf	29	2310	49	65396	CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
-1333458850.325787	CCvvfg3TEfuqmmG4bh	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	0	D	49	67160	0	0	(empty)
-1333458850.321642	CXWv6p3arKYeMETxOg	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	0	D	29	3354	0	0	(empty)
-#close	2014-04-01-22-56-58
+#open	2015-02-23-21-33-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458850.321642	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	-	0	ShADadf	29	2310	49	65396	CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
+1333458850.325787	CCvvfg3TEfuqmmG4bh	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	-	0	D	49	67160	0	0	(empty)
+1333458850.321642	CXWv6p3arKYeMETxOg	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	-	0	D	29	3354	0	0	(empty)
+#close	2015-02-23-21-33-07
diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
index fcd76f1844..a667326497 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458871.219794	CXWv6p3arKYeMETxOg	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	0	D	1	64	0	0	(empty)
-#close	2014-04-01-22-57-03
+#open	2015-02-23-21-33-08
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458871.219794	CXWv6p3arKYeMETxOg	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	-	0	D	1	64	0	0	(empty)
+#close	2015-02-23-21-33-09
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
index 113201ff6b..faad3a323b 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-05
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458851.770000	CjhGID4nQcgTWjvg4c	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	0	D	1	80	0	0	CXWv6p3arKYeMETxOg
-1333458851.770000	CXWv6p3arKYeMETxOg	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	0	D	2	208	0	0	(empty)
-1333458851.969236	CCvvfg3TEfuqmmG4bh	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	56	0	0	CXWv6p3arKYeMETxOg
-#close	2014-04-01-22-57-05
+#open	2015-02-23-21-33-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458851.770000	CjhGID4nQcgTWjvg4c	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	-	0	D	1	80	0	0	CXWv6p3arKYeMETxOg
+1333458851.770000	CXWv6p3arKYeMETxOg	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	-	0	D	2	208	0	0	(empty)
+1333458851.969236	CCvvfg3TEfuqmmG4bh	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	56	0	0	CXWv6p3arKYeMETxOg
+#close	2015-02-23-21-33-09
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
index ca63125d8e..c9ffe838cc 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
@@ -3,24 +3,24 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-08
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458850.037956	CEle3f3zno26fFZkrh	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	C3SfNE4BWaU4aSuwkc
-1333458850.040098	CwSkQu4eWZCH7OONC1	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	0	D	2	248	0	0	(empty)
-1333458850.016620	CsRx2w45OKnoww6xl4	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	0	D	1	80	0	0	CCvvfg3TEfuqmmG4bh
-1333458850.029781	C6pKV8GSxOnSLghOa	172.24.16.67	52298	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	CPbrpk1qSsw6ESzHV4
-1333458850.035456	CJ3xTn1c4Zw9TmAE05	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	0	D	2	250	0	0	(empty)
-1333458850.016620	CCvvfg3TEfuqmmG4bh	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	0	Dd	1	116	1	120	(empty)
-1333458850.029781	CPbrpk1qSsw6ESzHV4	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	0	D	2	248	0	0	(empty)
-1333458850.035460	Che1bq3i2rO3KD1Syg	172.27.159.9	63912	94.245.121.254	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	CJ3xTn1c4Zw9TmAE05
-1333458850.037956	C3SfNE4BWaU4aSuwkc	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	0	D	1	120	0	0	(empty)
-1333458850.014199	CXWv6p3arKYeMETxOg	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	0	D	1	124	0	0	(empty)
-1333458850.040098	CfTOmO0HKorjr8Zp7	172.24.203.81	54447	65.55.158.118	3544	udp	teredo	0.003698	120	0	S0	-	0	D	2	176	0	0	CwSkQu4eWZCH7OONC1
-1333458850.029783	CIPOse170MGiRM1Qf4	172.24.16.67	52298	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	CPbrpk1qSsw6ESzHV4
-1333458850.032887	C7XEbhP654jzLoe3a	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	CCvvfg3TEfuqmmG4bh
-1333458850.014199	CjhGID4nQcgTWjvg4c	172.24.204.200	56528	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	CXWv6p3arKYeMETxOg
-1333458850.035456	CMXxB5GvmoxJFXdTa	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	CJ3xTn1c4Zw9TmAE05
-1333458850.016620	CRJuHdVW0XPVINV8a	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	0	-	1	52	0	0	CsRx2w45OKnoww6xl4
-1333458850.035456	Caby8b1slFea8xwSmb	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	0	-	2	96	0	0	Che1bq3i2rO3KD1Syg,CMXxB5GvmoxJFXdTa
-#close	2014-04-01-22-57-08
+#open	2015-02-23-21-33-10
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458850.037956	CEle3f3zno26fFZkrh	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	-	0	d	0	0	1	84	C3SfNE4BWaU4aSuwkc
+1333458850.040098	CwSkQu4eWZCH7OONC1	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	-	0	D	2	248	0	0	(empty)
+1333458850.016620	CsRx2w45OKnoww6xl4	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	80	0	0	CCvvfg3TEfuqmmG4bh
+1333458850.029781	C6pKV8GSxOnSLghOa	172.24.16.67	52298	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CPbrpk1qSsw6ESzHV4
+1333458850.035456	CJ3xTn1c4Zw9TmAE05	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	-	0	D	2	250	0	0	(empty)
+1333458850.016620	CCvvfg3TEfuqmmG4bh	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	-	0	Dd	1	116	1	120	(empty)
+1333458850.029781	CPbrpk1qSsw6ESzHV4	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	-	0	D	2	248	0	0	(empty)
+1333458850.035460	Che1bq3i2rO3KD1Syg	172.27.159.9	63912	94.245.121.254	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	89	0	0	CJ3xTn1c4Zw9TmAE05
+1333458850.037956	C3SfNE4BWaU4aSuwkc	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	120	0	0	(empty)
+1333458850.014199	CXWv6p3arKYeMETxOg	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	124	0	0	(empty)
+1333458850.040098	CfTOmO0HKorjr8Zp7	172.24.203.81	54447	65.55.158.118	3544	udp	teredo	0.003698	120	0	S0	-	-	0	D	2	176	0	0	CwSkQu4eWZCH7OONC1
+1333458850.029783	CIPOse170MGiRM1Qf4	172.24.16.67	52298	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CPbrpk1qSsw6ESzHV4
+1333458850.032887	C7XEbhP654jzLoe3a	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	-	0	d	0	0	1	84	CCvvfg3TEfuqmmG4bh
+1333458850.014199	CjhGID4nQcgTWjvg4c	172.24.204.200	56528	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CXWv6p3arKYeMETxOg
+1333458850.035456	CMXxB5GvmoxJFXdTa	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	89	0	0	CJ3xTn1c4Zw9TmAE05
+1333458850.016620	CRJuHdVW0XPVINV8a	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	-	0	-	1	52	0	0	CsRx2w45OKnoww6xl4
+1333458850.035456	Caby8b1slFea8xwSmb	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	-	0	-	2	96	0	0	Che1bq3i2rO3KD1Syg,CMXxB5GvmoxJFXdTa
+#close	2015-02-23-21-33-10
diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
index db8d3ee190..e8ae7a48d5 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458850.532814	CXWv6p3arKYeMETxOg	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	0	D	1	52	0	0	(empty)
-1333458850.867091	CjhGID4nQcgTWjvg4c	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	0	Dd	1	40	1	42	(empty)
-#close	2014-04-01-22-57-11
+#open	2015-02-23-21-33-12
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458850.532814	CXWv6p3arKYeMETxOg	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	-	0	D	1	52	0	0	(empty)
+1333458850.867091	CjhGID4nQcgTWjvg4c	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	-	0	Dd	1	40	1	42	(empty)
+#close	2015-02-23-21-33-12
diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
index 6660656315..228a8f74c2 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458852.011535	CjhGID4nQcgTWjvg4c	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	0	ShADad	17	1604	14	1762	CXWv6p3arKYeMETxOg
-1333458852.011535	CXWv6p3arKYeMETxOg	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	0	Dd	17	2216	14	2322	(empty)
-#close	2014-04-01-22-57-12
+#open	2015-02-23-21-33-13
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458852.011535	CjhGID4nQcgTWjvg4c	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	-	0	ShADad	17	1604	14	1762	CXWv6p3arKYeMETxOg
+1333458852.011535	CXWv6p3arKYeMETxOg	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	-	0	Dd	17	2216	14	2322	(empty)
+#close	2015-02-23-21-33-13
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
index 2367df6b8d..f8fc05432a 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-15
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1333458850.364667	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	0	ShADadfF	27	3204	41	52594	CXWv6p3arKYeMETxOg
-1333458850.364667	CXWv6p3arKYeMETxOg	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	0	Dd	27	4176	41	54070	(empty)
-#close	2014-04-01-22-57-15
+#open	2015-02-23-21-33-13
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1333458850.364667	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	-	0	ShADadfF	27	3204	41	52594	CXWv6p3arKYeMETxOg
+1333458850.364667	CXWv6p3arKYeMETxOg	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	-	0	Dd	27	4176	41	54070	(empty)
+#close	2015-02-23-21-33-14
diff --git a/testing/btest/Baseline/core.tunnels.teredo/conn.log b/testing/btest/Baseline/core.tunnels.teredo/conn.log
index 64fe869295..779f42ed48 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/conn.log
@@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-21
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1210953047.736921	CjhGID4nQcgTWjvg4c	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	0	fA	1	40	1	40	(empty)
-1210953050.867067	CCvvfg3TEfuqmmG4bh	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	0	fA	1	40	1	40	(empty)
-1210953057.833364	CIPOse170MGiRM1Qf4	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	0	Fa	1	40	1	40	(empty)
-1210953058.007081	CJ3xTn1c4Zw9TmAE05	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	0	R	1	40	0	0	(empty)
-1210953057.834454	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	0	ShADadR	6	1038	4	335	(empty)
-1210953058.350065	CMXxB5GvmoxJFXdTa	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	0	Dd	2	122	2	494	(empty)
-1210953058.577231	Caby8b1slFea8xwSmb	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	0	D	3	234	0	0	(empty)
-1210953074.264819	CyAhVIzHqb7t7kv28	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	0	Dd	3	207	3	682	(empty)
-1210953061.312379	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	12.810848	1675	10467	S1	-	0	ShADad	10	2279	12	11191	C3SfNE4BWaU4aSuwkc
-1210953076.058333	Cx2FqO23omNawSNrxj	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
-1210953074.055744	CfTOmO0HKorjr8Zp7	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
-1210953074.057124	CzA03V1VcgagLjnO92	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
-1210953074.570439	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	0	ShADadFf	7	757	6	4164	(empty)
-1210953052.202579	CsRx2w45OKnoww6xl4	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	0	Dd	2	185	1	76	(empty)
-1210953060.829233	C3SfNE4BWaU4aSuwkc	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	0	Dd	12	2695	13	11607	(empty)
-1210953058.933954	Che1bq3i2rO3KD1Syg	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	0	D	1	328	0	0	(empty)
-1210953052.324629	CPbrpk1qSsw6ESzHV4	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	0	d	0	0	1	137	(empty)
-1210953046.591933	CXWv6p3arKYeMETxOg	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	0	D	2	472	0	0	(empty)
-1210953052.324629	C6pKV8GSxOnSLghOa	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	CPbrpk1qSsw6ESzHV4
-1210953060.829303	CEle3f3zno26fFZkrh	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	0	-	1	52	1	52	C3SfNE4BWaU4aSuwkc,CsRx2w45OKnoww6xl4
-1210953052.202579	CRJuHdVW0XPVINV8a	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	CsRx2w45OKnoww6xl4
-#close	2014-04-01-22-57-21
+#open	2015-02-23-21-33-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1210953047.736921	CjhGID4nQcgTWjvg4c	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	-	0	fA	1	40	1	40	(empty)
+1210953050.867067	CCvvfg3TEfuqmmG4bh	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	-	0	fA	1	40	1	40	(empty)
+1210953057.833364	CIPOse170MGiRM1Qf4	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	-	0	Fa	1	40	1	40	(empty)
+1210953058.007081	CJ3xTn1c4Zw9TmAE05	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)
+1210953057.834454	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	-	0	ShADadR	6	1038	4	335	(empty)
+1210953058.350065	CMXxB5GvmoxJFXdTa	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	-	0	Dd	2	122	2	494	(empty)
+1210953058.577231	Caby8b1slFea8xwSmb	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	-	0	D	3	234	0	0	(empty)
+1210953074.264819	CyAhVIzHqb7t7kv28	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	-	0	Dd	3	207	3	682	(empty)
+1210953061.312379	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	12.810848	1675	10467	S1	-	-	0	ShADad	10	2279	12	11191	C3SfNE4BWaU4aSuwkc
+1210953076.058333	Cx2FqO23omNawSNrxj	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	r	0	0	1	40	(empty)
+1210953074.055744	CfTOmO0HKorjr8Zp7	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	r	0	0	1	40	(empty)
+1210953074.057124	CzA03V1VcgagLjnO92	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	-	0	r	0	0	1	40	(empty)
+1210953074.570439	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	-	0	ShADadFf	7	757	6	4164	(empty)
+1210953052.202579	CsRx2w45OKnoww6xl4	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	-	0	Dd	2	185	1	76	(empty)
+1210953060.829233	C3SfNE4BWaU4aSuwkc	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	-	0	Dd	12	2695	13	11607	(empty)
+1210953058.933954	Che1bq3i2rO3KD1Syg	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
+1210953052.324629	CPbrpk1qSsw6ESzHV4	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	d	0	0	1	137	(empty)
+1210953046.591933	CXWv6p3arKYeMETxOg	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	-	0	D	2	472	0	0	(empty)
+1210953052.324629	C6pKV8GSxOnSLghOa	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	-	0	-	1	88	0	0	CPbrpk1qSsw6ESzHV4
+1210953060.829303	CEle3f3zno26fFZkrh	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	-	0	-	1	52	1	52	C3SfNE4BWaU4aSuwkc,CsRx2w45OKnoww6xl4
+1210953052.202579	CRJuHdVW0XPVINV8a	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CsRx2w45OKnoww6xl4
+#close	2015-02-23-21-33-18
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
index 5a55c8871d..91bcfdf170 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
@@ -3,14 +3,14 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-27
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1340127577.354166	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	0.052829	1675	10467	S1	-	0	ShADad	10	2279	12	11191	CRJuHdVW0XPVINV8a
-1340127577.336558	CXWv6p3arKYeMETxOg	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	0	Dd	2	185	1	80	(empty)
-1340127577.341510	CRJuHdVW0XPVINV8a	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	0	Dd	12	2703	13	11607	(empty)
-1340127577.339015	CCvvfg3TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	0	d	0	0	1	137	(empty)
-1340127577.339015	CsRx2w45OKnoww6xl4	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	CCvvfg3TEfuqmmG4bh
-1340127577.343969	CPbrpk1qSsw6ESzHV4	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.007778	4	4	OTH	-	0	-	1	52	1	52	CXWv6p3arKYeMETxOg,CRJuHdVW0XPVINV8a
-1340127577.336558	CjhGID4nQcgTWjvg4c	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	CXWv6p3arKYeMETxOg
-#close	2014-04-01-22-57-27
+#open	2015-02-23-21-33-21
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1340127577.354166	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	0.052829	1675	10467	S1	-	-	0	ShADad	10	2279	12	11191	CRJuHdVW0XPVINV8a
+1340127577.336558	CXWv6p3arKYeMETxOg	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	-	0	Dd	2	185	1	80	(empty)
+1340127577.341510	CRJuHdVW0XPVINV8a	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	-	0	Dd	12	2703	13	11607	(empty)
+1340127577.339015	CCvvfg3TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	d	0	0	1	137	(empty)
+1340127577.339015	CsRx2w45OKnoww6xl4	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	-	0	-	1	88	0	0	CCvvfg3TEfuqmmG4bh
+1340127577.343969	CPbrpk1qSsw6ESzHV4	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.007778	4	4	OTH	-	-	0	-	1	52	1	52	CXWv6p3arKYeMETxOg,CRJuHdVW0XPVINV8a
+1340127577.336558	CjhGID4nQcgTWjvg4c	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CXWv6p3arKYeMETxOg
+#close	2015-02-23-21-33-21
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
index 55a0f2b161..5cbdc63400 100644
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-22-57-31
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-952109346.874907	CXWv6p3arKYeMETxOg	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	0	SADF	11	470	0	0	(empty)
-1128727435.450898	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945	(empty)
-1278600802.069419	CCvvfg3TEfuqmmG4bh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801	(empty)
-#close	2014-04-01-22-57-31
+#open	2015-02-23-21-33-22
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+952109346.874907	CXWv6p3arKYeMETxOg	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	-	0	SADF	11	470	0	0	(empty)
+1128727435.450898	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	-	0	ShADdFaf	12	730	10	9945	(empty)
+1278600802.069419	CCvvfg3TEfuqmmG4bh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+#close	2015-02-23-21-33-22
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
index 8da50c3d30..79d9859c4e 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@@ -7,7 +7,7 @@
       # bro -b -r http/get.trace connection_record_01.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
+      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
       }], extract_orig=F, extract_resp=F]
 
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index c170dbc645..49fb44ebf7 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -7,7 +7,7 @@
       # bro -b -r http/get.trace connection_record_02.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
+      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
       }], extract_orig=F, extract_resp=F, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
       
diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
index e1da11a146..b80096054b 100644
--- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
+++ b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	conn
-      #open	2014-04-01-22-59-28
-      #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-      #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-      1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
-      1300475167.097012	CjhGID4nQcgTWjvg4c	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	0	D	1	199	0	0	(empty)
-      1300475167.099816	CCvvfg3TEfuqmmG4bh	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	179	0	0	(empty)
-      1300475168.853899	CPbrpk1qSsw6ESzHV4	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-      1300475168.854378	C6pKV8GSxOnSLghOa	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-      1300475168.854837	CIPOse170MGiRM1Qf4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-      1300475168.857956	CMXxB5GvmoxJFXdTa	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	(empty)
+      #open	2015-02-24-00-03-50
+      #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+      #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+      1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
+      1300475167.097012	CjhGID4nQcgTWjvg4c	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
+      1300475167.099816	CCvvfg3TEfuqmmG4bh	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
+      1300475168.853899	CPbrpk1qSsw6ESzHV4	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+      1300475168.854378	C6pKV8GSxOnSLghOa	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+      1300475168.854837	CIPOse170MGiRM1Qf4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+      1300475168.857956	CMXxB5GvmoxJFXdTa	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
       [...]
 
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 927a64692f..9519ffec5e 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -191,7 +191,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
@@ -285,8 +285,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
@@ -730,7 +730,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
@@ -824,8 +824,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
@@ -1269,7 +1269,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1363,8 +1363,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1424736245.843493, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1862,9 +1862,9 @@
 1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
 1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
 1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
 1362692527.080972   MetaHookPost  CallFunction(bro_done, ()) -> <null>
 1362692527.080972   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
 1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
@@ -1896,9 +1896,9 @@
 1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(bro_done, ())
 1362692527.080972   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@@ -1931,9 +1931,9 @@
 1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
-1362692527.080972 | HookCallFunction Log::default_path_func(Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
-1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Log::default_path_func(Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction bro_done()
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
diff --git a/testing/btest/Baseline/plugins.pktsrc/conn.log b/testing/btest/Baseline/plugins.pktsrc/conn.log
index ab218f18fd..1c043c4fc1 100644
--- a/testing/btest/Baseline/plugins.pktsrc/conn.log
+++ b/testing/btest/Baseline/plugins.pktsrc/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-09-04-18-06-05
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1409193037.000000	CXWv6p3arKYeMETxOg	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	0	S	1	64	0	0	(empty)
-#close	2014-09-04-18-06-05
+#open	2015-02-23-21-37-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1409193037.000000	CXWv6p3arKYeMETxOg	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	-	0	S	1	64	0	0	(empty)
+#close	2015-02-23-21-37-52
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index f7b33992ea..26fac65662 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -2,13 +2,13 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
     [Writer] Foo (Log::WRITER_FOO)
 
 ===
-[conn] 1340213005.165293|CXWv6p3arKYeMETxOg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|0|S|5|320|0|0|
-[conn] 1340213010.582723|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|tcp|http,socks|13.839419|3860|2934|SF|-|0|ShADadfF|23|5080|20|3986|
-[conn] 1340213048.780152|CCvvfg3TEfuqmmG4bh|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
-[conn] 1340213097.272764|CsRx2w45OKnoww6xl4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
-[conn] 1340213162.160367|CRJuHdVW0XPVINV8a|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
-[conn] 1340213226.561757|CPbrpk1qSsw6ESzHV4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
-[conn] 1340213290.981995|C6pKV8GSxOnSLghOa|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
+[conn] 1340213005.165293|CXWv6p3arKYeMETxOg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|
+[conn] 1340213010.582723|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|tcp|http,socks|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|
+[conn] 1340213048.780152|CCvvfg3TEfuqmmG4bh|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
+[conn] 1340213097.272764|CsRx2w45OKnoww6xl4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
+[conn] 1340213162.160367|CRJuHdVW0XPVINV8a|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
+[conn] 1340213226.561757|CPbrpk1qSsw6ESzHV4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
+[conn] 1340213290.981995|C6pKV8GSxOnSLghOa|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
 [files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|CjhGID4nQcgTWjvg4c|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-
 [http] 1340213019.013158|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
 [http] 1340213019.013426|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
@@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [http] 1340213020.732963|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
 [http] 1340213021.300269|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
 [http] 1340213021.861584|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[packet_filter] 1423781675.402129|bro|ip or not ip|T|T
+[packet_filter] 1424736260.256998|bro|ip or not ip|T|T
 [socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out
index 717671cbb8..d772d5e1e9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out
@@ -1,136 +1,136 @@
-[ts=1300475167.096535, uid=dnGM1AdIVyh, id=[orig_h=141.142.220.202, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=73, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475167.096535, uid=dnGM1AdIVyh, id=[orig_h=141.142.220.202, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=73, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475167.097012, uid=fv9q7WjEgp1, id=[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/unknown, resp_h=ff02::fb, resp_p=5353/unknown], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=199, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475167.097012, uid=fv9q7WjEgp1, id=[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/unknown, resp_h=ff02::fb, resp_p=5353/unknown], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=199, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475167.099816, uid=0Ox0H56yl88, id=[orig_h=141.142.220.50, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=179, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475167.099816, uid=0Ox0H56yl88, id=[orig_h=141.142.220.50, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=179, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475168.853899, uid=rvmSc7rDQub, id=[orig_h=141.142.220.118, orig_p=43927/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000435, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
+[ts=1300475168.853899, uid=rvmSc7rDQub, id=[orig_h=141.142.220.118, orig_p=43927/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000435, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
 }]
 0
-[ts=1300475168.854378, uid=ogkztouSArh, id=[orig_h=141.142.220.118, orig_p=37676/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.00042, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
+[ts=1300475168.854378, uid=ogkztouSArh, id=[orig_h=141.142.220.118, orig_p=37676/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.00042, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
 }]
 0
-[ts=1300475168.854837, uid=0UIDdXFt7Tb, id=[orig_h=141.142.220.118, orig_p=40526/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000392, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
+[ts=1300475168.854837, uid=0UIDdXFt7Tb, id=[orig_h=141.142.220.118, orig_p=40526/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000392, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
 }]
 0
-[ts=1300475168.857956, uid=WqFYV51UIq7, id=[orig_h=141.142.220.118, orig_p=32902/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
+[ts=1300475168.857956, uid=WqFYV51UIq7, id=[orig_h=141.142.220.118, orig_p=32902/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
 }]
 0
-[ts=1300475168.858306, uid=ylcqZpbz6K2, id=[orig_h=141.142.220.118, orig_p=59816/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000343, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
+[ts=1300475168.858306, uid=ylcqZpbz6K2, id=[orig_h=141.142.220.118, orig_p=59816/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000343, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
 }]
 0
-[ts=1300475168.858713, uid=blhldTzA7Y6, id=[orig_h=141.142.220.118, orig_p=59714/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000375, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
+[ts=1300475168.858713, uid=blhldTzA7Y6, id=[orig_h=141.142.220.118, orig_p=59714/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000375, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
 }]
 0
-[ts=1300475168.891644, uid=Sc34cGJo3Kg, id=[orig_h=141.142.220.118, orig_p=58206/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000339, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
+[ts=1300475168.891644, uid=Sc34cGJo3Kg, id=[orig_h=141.142.220.118, orig_p=58206/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000339, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
 }]
 0
-[ts=1300475168.892037, uid=RzvFrfXSRfk, id=[orig_h=141.142.220.118, orig_p=38911/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000335, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
+[ts=1300475168.892037, uid=RzvFrfXSRfk, id=[orig_h=141.142.220.118, orig_p=38911/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000335, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
 }]
 0
-[ts=1300475168.892414, uid=GaaFI58mpbe, id=[orig_h=141.142.220.118, orig_p=59746/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000421, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
+[ts=1300475168.892414, uid=GaaFI58mpbe, id=[orig_h=141.142.220.118, orig_p=59746/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000421, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
 }]
 0
-[ts=1300475168.893988, uid=tr7M6tvAIQa, id=[orig_h=141.142.220.118, orig_p=45000/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000384, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
+[ts=1300475168.893988, uid=tr7M6tvAIQa, id=[orig_h=141.142.220.118, orig_p=45000/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000384, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
 }]
 0
-[ts=1300475168.894422, uid=gV0TcSc2pb4, id=[orig_h=141.142.220.118, orig_p=48479/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
+[ts=1300475168.894422, uid=gV0TcSc2pb4, id=[orig_h=141.142.220.118, orig_p=48479/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
 }]
 0
-[ts=1300475168.894787, uid=MOG0z4PYOhk, id=[orig_h=141.142.220.118, orig_p=48128/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000423, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
+[ts=1300475168.894787, uid=MOG0z4PYOhk, id=[orig_h=141.142.220.118, orig_p=48128/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000423, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
 }]
 0
-[ts=1300475168.901749, uid=PlehgEduUyj, id=[orig_h=141.142.220.118, orig_p=56056/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000402, orig_bytes=36, resp_bytes=131, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=159, tunnel_parents={
+[ts=1300475168.901749, uid=PlehgEduUyj, id=[orig_h=141.142.220.118, orig_p=56056/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000402, orig_bytes=36, resp_bytes=131, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=159, tunnel_parents={
 
 }]
 0
-[ts=1300475168.902195, uid=4eZgk09f2Re, id=[orig_h=141.142.220.118, orig_p=55092/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000374, orig_bytes=36, resp_bytes=198, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=226, tunnel_parents={
+[ts=1300475168.902195, uid=4eZgk09f2Re, id=[orig_h=141.142.220.118, orig_p=55092/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000374, orig_bytes=36, resp_bytes=198, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=226, tunnel_parents={
 
 }]
 0
-[ts=1300475169.899438, uid=3xwJPc7mQ9a, id=[orig_h=141.142.220.44, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=85, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475169.899438, uid=3xwJPc7mQ9a, id=[orig_h=141.142.220.44, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=85, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475170.862384, uid=yxTcvvTKWQ4, id=[orig_h=141.142.220.226, orig_p=137/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=2.613017, orig_bytes=350, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=7, orig_ip_bytes=546, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475170.862384, uid=yxTcvvTKWQ4, id=[orig_h=141.142.220.226, orig_p=137/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=2.613017, orig_bytes=350, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=7, orig_ip_bytes=546, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475171.675372, uid=8bLW3XNfhCj, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100096, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475171.675372, uid=8bLW3XNfhCj, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100096, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475171.677081, uid=rqjhiiRPjEe, id=[orig_h=141.142.220.226, orig_p=55131/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100021, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475171.677081, uid=rqjhiiRPjEe, id=[orig_h=141.142.220.226, orig_p=55131/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100021, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475173.116749, uid=hTPyfL3QSGa, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099801, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475173.116749, uid=hTPyfL3QSGa, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099801, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475173.117362, uid=EruUQ9AJRj4, id=[orig_h=141.142.220.226, orig_p=55671/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099849, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475173.117362, uid=EruUQ9AJRj4, id=[orig_h=141.142.220.226, orig_p=55671/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099849, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475173.153679, uid=sw1bKJOMjuk, id=[orig_h=141.142.220.238, orig_p=56641/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=78, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
+[ts=1300475173.153679, uid=sw1bKJOMjuk, id=[orig_h=141.142.220.238, orig_p=56641/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=78, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
 }]
 0
-[ts=1300475168.724007, uid=NPHCuyWykE7, id=[orig_h=141.142.220.118, orig_p=48649/unknown, resp_h=208.80.152.118, resp_p=80/unknown], proto=tcp, service=http, duration=0.119905, orig_bytes=525, resp_bytes=232, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=741, resp_pkts=3, resp_ip_bytes=396, tunnel_parents={
+[ts=1300475168.724007, uid=NPHCuyWykE7, id=[orig_h=141.142.220.118, orig_p=48649/unknown, resp_h=208.80.152.118, resp_p=80/unknown], proto=tcp, service=http, duration=0.119905, orig_bytes=525, resp_bytes=232, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=741, resp_pkts=3, resp_ip_bytes=396, tunnel_parents={
 
 }]
 0
-[ts=1300475168.892936, uid=VapPqRhPgJ4, id=[orig_h=141.142.220.118, orig_p=50000/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.229603, orig_bytes=1148, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1468, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
+[ts=1300475168.892936, uid=VapPqRhPgJ4, id=[orig_h=141.142.220.118, orig_p=50000/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.229603, orig_bytes=1148, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1468, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
 }]
 0
-[ts=1300475168.859163, uid=3607hh8C3bc, id=[orig_h=141.142.220.118, orig_p=49998/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.215893, orig_bytes=1130, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1450, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
+[ts=1300475168.859163, uid=3607hh8C3bc, id=[orig_h=141.142.220.118, orig_p=49998/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.215893, orig_bytes=1130, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1450, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
 }]
 0
-[ts=1300475168.855305, uid=tgYMrIvzDSg, id=[orig_h=141.142.220.118, orig_p=49996/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.218501, orig_bytes=1171, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1491, resp_pkts=4, resp_ip_bytes=949, tunnel_parents={
+[ts=1300475168.855305, uid=tgYMrIvzDSg, id=[orig_h=141.142.220.118, orig_p=49996/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.218501, orig_bytes=1171, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1491, resp_pkts=4, resp_ip_bytes=949, tunnel_parents={
 
 }]
 0
-[ts=1300475168.895267, uid=xQsjPwNBrXd, id=[orig_h=141.142.220.118, orig_p=50001/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.227284, orig_bytes=1178, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1498, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
+[ts=1300475168.895267, uid=xQsjPwNBrXd, id=[orig_h=141.142.220.118, orig_p=50001/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.227284, orig_bytes=1178, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1498, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
 }]
 0
-[ts=1300475168.902635, uid=Ap3GzMI1vM9, id=[orig_h=141.142.220.118, orig_p=35642/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=http, duration=0.120041, orig_bytes=534, resp_bytes=412, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=750, resp_pkts=3, resp_ip_bytes=576, tunnel_parents={
+[ts=1300475168.902635, uid=Ap3GzMI1vM9, id=[orig_h=141.142.220.118, orig_p=35642/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=http, duration=0.120041, orig_bytes=534, resp_bytes=412, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=750, resp_pkts=3, resp_ip_bytes=576, tunnel_parents={
 
 }]
 0
-[ts=1300475168.85533, uid=FTVcgrmNy52, id=[orig_h=141.142.220.118, orig_p=49997/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.21972, orig_bytes=1125, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1445, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
+[ts=1300475168.85533, uid=FTVcgrmNy52, id=[orig_h=141.142.220.118, orig_p=49997/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.21972, orig_bytes=1125, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1445, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
 }]
 0
-[ts=1300475169.780331, uid=1xFx4PGdeq5, id=[orig_h=141.142.220.235, orig_p=6705/unknown, resp_h=173.192.163.128, resp_p=80/unknown], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=OTH, local_orig=<uninitialized>, missed_bytes=0, history=h, orig_pkts=0, orig_ip_bytes=0, resp_pkts=1, resp_ip_bytes=48, tunnel_parents={
+[ts=1300475169.780331, uid=1xFx4PGdeq5, id=[orig_h=141.142.220.235, orig_p=6705/unknown, resp_h=173.192.163.128, resp_p=80/unknown], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=OTH, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=h, orig_pkts=0, orig_ip_bytes=0, resp_pkts=1, resp_ip_bytes=48, tunnel_parents={
 
 }]
 0
-[ts=1300475168.652003, uid=WIG1ud65z22, id=[orig_h=141.142.220.118, orig_p=35634/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=<uninitialized>, duration=0.061329, orig_bytes=463, resp_bytes=350, conn_state=OTH, local_orig=<uninitialized>, missed_bytes=0, history=DdA, orig_pkts=2, orig_ip_bytes=567, resp_pkts=1, resp_ip_bytes=402, tunnel_parents={
+[ts=1300475168.652003, uid=WIG1ud65z22, id=[orig_h=141.142.220.118, orig_p=35634/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=<uninitialized>, duration=0.061329, orig_bytes=463, resp_bytes=350, conn_state=OTH, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=DdA, orig_pkts=2, orig_ip_bytes=567, resp_pkts=1, resp_ip_bytes=402, tunnel_parents={
 
 }]
 0
-[ts=1300475168.892913, uid=o2gAkl4V7sa, id=[orig_h=141.142.220.118, orig_p=49999/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.220961, orig_bytes=1137, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1457, resp_pkts=4, resp_ip_bytes=949, tunnel_parents={
+[ts=1300475168.892913, uid=o2gAkl4V7sa, id=[orig_h=141.142.220.118, orig_p=49999/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.220961, orig_bytes=1137, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1457, resp_pkts=4, resp_ip_bytes=949, tunnel_parents={
 
 }]
 0
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
index 8653fd1edb..90facb896e 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
@@ -1,34 +1,34 @@
-1300475167.09653|CXWv6p3arKYeMETxOg|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0|(empty)
-1300475167.09701|CjhGID4nQcgTWjvg4c|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0||0|D|1|199|0|0|(empty)
-1300475167.09982|CCvvfg3TEfuqmmG4bh|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|179|0|0|(empty)
-1300475168.652|CsRx2w45OKnoww6xl4|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402|(empty)
-1300475168.72401|CRJuHdVW0XPVINV8a|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396|(empty)
-1300475168.8539|CPbrpk1qSsw6ESzHV4|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117|(empty)
-1300475168.85438|C6pKV8GSxOnSLghOa|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF||0|Dd|1|80|1|127|(empty)
-1300475168.85484|CIPOse170MGiRM1Qf4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF||0|Dd|1|66|1|211|(empty)
-1300475168.8553|C7XEbhP654jzLoe3a|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1||0|ShADad|6|1491|4|949|(empty)
-1300475168.85533|CJ3xTn1c4Zw9TmAE05|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1||0|ShADad|6|1445|4|950|(empty)
-1300475168.85796|CMXxB5GvmoxJFXdTa|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF||0|Dd|1|66|1|117|(empty)
-1300475168.85831|Caby8b1slFea8xwSmb|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF||0|Dd|1|80|1|127|(empty)
-1300475168.85871|Che1bq3i2rO3KD1Syg|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF||0|Dd|1|66|1|211|(empty)
-1300475168.85916|C3SfNE4BWaU4aSuwkc|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1||0|ShADad|6|1450|4|950|(empty)
-1300475168.89164|CEle3f3zno26fFZkrh|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF||0|Dd|1|66|1|117|(empty)
-1300475168.89204|CwSkQu4eWZCH7OONC1|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF||0|Dd|1|80|1|127|(empty)
-1300475168.89241|CfTOmO0HKorjr8Zp7|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF||0|Dd|1|66|1|211|(empty)
-1300475168.89291|CzA03V1VcgagLjnO92|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1||0|ShADad|6|1457|4|949|(empty)
-1300475168.89294|CyAhVIzHqb7t7kv28|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1||0|ShADad|6|1468|4|950|(empty)
-1300475168.89399|Cab0vO1xNYSS2hJkle|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF||0|Dd|1|66|1|117|(empty)
-1300475168.89442|Cx2FqO23omNawSNrxj|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF||0|Dd|1|80|1|127|(empty)
-1300475168.89479|Cx3C534wEyF3OvvcQe|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF||0|Dd|1|66|1|211|(empty)
-1300475168.89527|CkDsfG2YIeWJmXWNWj|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1||0|ShADad|6|1498|4|950|(empty)
-1300475168.90175|CUKS0W3HFYOnBqSE5e|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF||0|Dd|1|64|1|159|(empty)
-1300475168.90219|CRrfvP2lalMAYOCLhj|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF||0|Dd|1|64|1|226|(empty)
-1300475168.90264|Cn78a440HlxuyZKs6f|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1||0|ShADad|4|750|3|576|(empty)
-1300475169.78033|CUof3F2yAIid8QS3dk|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH||0|h|0|0|1|48|(empty)
-1300475169.89944|CojBOU3CXcLHl1r6x1|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|85|0|0|(empty)
-1300475170.86238|CJzVQRGJrX6V15ik7|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0||0|D|7|546|0|0|(empty)
-1300475171.67537|ClAbxY1nmdjCuo0Le2|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0||0|D|2|162|0|0|(empty)
-1300475171.67708|CwG0BF1VXE0gWgs78|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0||0|D|2|122|0|0|(empty)
-1300475173.11675|CisNaL1Cm73CiNOmcg|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0||0|D|2|162|0|0|(empty)
-1300475173.11736|CBQnJn22qN8TOeeZil|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0||0|D|2|122|0|0|(empty)
-1300475173.15368|CbEsuD3dgDDngdlbKf|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0||0|D|1|78|0|0|(empty)
+1300475167.09653|CXWv6p3arKYeMETxOg|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|73|0|0|(empty)
+1300475167.09701|CjhGID4nQcgTWjvg4c|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0|||0|D|1|199|0|0|(empty)
+1300475167.09982|CCvvfg3TEfuqmmG4bh|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|179|0|0|(empty)
+1300475168.652|CsRx2w45OKnoww6xl4|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH|||0|DdA|2|567|1|402|(empty)
+1300475168.72401|CRJuHdVW0XPVINV8a|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1|||0|ShADad|4|741|3|396|(empty)
+1300475168.8539|CPbrpk1qSsw6ESzHV4|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF|||0|Dd|1|66|1|117|(empty)
+1300475168.85438|C6pKV8GSxOnSLghOa|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF|||0|Dd|1|80|1|127|(empty)
+1300475168.85484|CIPOse170MGiRM1Qf4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF|||0|Dd|1|66|1|211|(empty)
+1300475168.8553|C7XEbhP654jzLoe3a|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1|||0|ShADad|6|1491|4|949|(empty)
+1300475168.85533|CJ3xTn1c4Zw9TmAE05|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1|||0|ShADad|6|1445|4|950|(empty)
+1300475168.85796|CMXxB5GvmoxJFXdTa|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF|||0|Dd|1|66|1|117|(empty)
+1300475168.85831|Caby8b1slFea8xwSmb|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF|||0|Dd|1|80|1|127|(empty)
+1300475168.85871|Che1bq3i2rO3KD1Syg|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF|||0|Dd|1|66|1|211|(empty)
+1300475168.85916|C3SfNE4BWaU4aSuwkc|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1|||0|ShADad|6|1450|4|950|(empty)
+1300475168.89164|CEle3f3zno26fFZkrh|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF|||0|Dd|1|66|1|117|(empty)
+1300475168.89204|CwSkQu4eWZCH7OONC1|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF|||0|Dd|1|80|1|127|(empty)
+1300475168.89241|CfTOmO0HKorjr8Zp7|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF|||0|Dd|1|66|1|211|(empty)
+1300475168.89291|CzA03V1VcgagLjnO92|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1|||0|ShADad|6|1457|4|949|(empty)
+1300475168.89294|CyAhVIzHqb7t7kv28|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1|||0|ShADad|6|1468|4|950|(empty)
+1300475168.89399|Cab0vO1xNYSS2hJkle|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF|||0|Dd|1|66|1|117|(empty)
+1300475168.89442|Cx2FqO23omNawSNrxj|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF|||0|Dd|1|80|1|127|(empty)
+1300475168.89479|Cx3C534wEyF3OvvcQe|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF|||0|Dd|1|66|1|211|(empty)
+1300475168.89527|CkDsfG2YIeWJmXWNWj|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1|||0|ShADad|6|1498|4|950|(empty)
+1300475168.90175|CUKS0W3HFYOnBqSE5e|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF|||0|Dd|1|64|1|159|(empty)
+1300475168.90219|CRrfvP2lalMAYOCLhj|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF|||0|Dd|1|64|1|226|(empty)
+1300475168.90264|Cn78a440HlxuyZKs6f|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1|||0|ShADad|4|750|3|576|(empty)
+1300475169.78033|CUof3F2yAIid8QS3dk|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH|||0|h|0|0|1|48|(empty)
+1300475169.89944|CojBOU3CXcLHl1r6x1|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|85|0|0|(empty)
+1300475170.86238|CJzVQRGJrX6V15ik7|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0|||0|D|7|546|0|0|(empty)
+1300475171.67537|ClAbxY1nmdjCuo0Le2|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0|||0|D|2|162|0|0|(empty)
+1300475171.67708|CwG0BF1VXE0gWgs78|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0|||0|D|2|122|0|0|(empty)
+1300475173.11675|CisNaL1Cm73CiNOmcg|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0|||0|D|2|162|0|0|(empty)
+1300475173.11736|CBQnJn22qN8TOeeZil|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0|||0|D|2|122|0|0|(empty)
+1300475173.15368|CbEsuD3dgDDngdlbKf|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0|||0|D|1|78|0|0|(empty)
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
index a614267726..1ef6763a39 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-23-15-49
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1329843175.736107	CjhGID4nQcgTWjvg4c	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	CCvvfg3TEfuqmmG4bh	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	CsRx2w45OKnoww6xl4	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	CRJuHdVW0XPVINV8a	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	CXWv6p3arKYeMETxOg	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	0	ShAdDfFa	38	2164	25	4458	(empty)
-#close	2014-04-01-23-15-49
+#open	2015-02-23-21-43-45
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1329843175.736107	CjhGID4nQcgTWjvg4c	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	(empty)
+1329843179.871641	CCvvfg3TEfuqmmG4bh	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	(empty)
+1329843194.151526	CsRx2w45OKnoww6xl4	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	(empty)
+1329843197.783443	CRJuHdVW0XPVINV8a	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	(empty)
+1329843161.968492	CXWv6p3arKYeMETxOg	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	(empty)
+#close	2015-02-23-21-43-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
index 6ea943b479..7a717cb8bf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
@@ -3,13 +3,13 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-23-15-51
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1329327783.316897	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	0	ShAdfFa	5	372	4	642	(empty)
-1329327786.524332	CCvvfg3TEfuqmmG4bh	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	0	ShAdfFa	5	372	4	343	(empty)
-1329327787.289095	CsRx2w45OKnoww6xl4	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	0	ShAdfFa	5	372	4	377	(empty)
-1329327795.571921	CRJuHdVW0XPVINV8a	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	0	ShADFaf	5	449	4	300	(empty)
-1329327777.822004	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	0	ShAdDfFa	57	4426	34	5908	(empty)
-1329327800.017649	CPbrpk1qSsw6ESzHV4	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	0	ShADFaf	5	714	4	300	(empty)
-#close	2014-04-01-23-15-51
+#open	2015-02-23-21-43-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1329327783.316897	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	-	0	ShAdfFa	5	372	4	642	(empty)
+1329327786.524332	CCvvfg3TEfuqmmG4bh	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	-	0	ShAdfFa	5	372	4	343	(empty)
+1329327787.289095	CsRx2w45OKnoww6xl4	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	-	0	ShAdfFa	5	372	4	377	(empty)
+1329327795.571921	CRJuHdVW0XPVINV8a	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	-	0	ShADFaf	5	449	4	300	(empty)
+1329327777.822004	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	-	0	ShAdDfFa	57	4426	34	5908	(empty)
+1329327800.017649	CPbrpk1qSsw6ESzHV4	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	-	0	ShADFaf	5	714	4	300	(empty)
+#close	2015-02-23-21-43-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
index 187f73e3be..9c58298dbe 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-23-15-53
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1348168976.274919	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	tcp	ssl,ftp,gridftp	0.294743	4491	6659	SF	-	0	ShAdDaFf	22	5643	21	7759	(empty)
-1348168976.546371	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.011938	2135	3196	S1	-	0	ShADad	8	2559	6	3516	(empty)
-#close	2014-04-01-23-15-53
+#open	2015-02-23-21-43-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1348168976.274919	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	tcp	ssl,ftp,gridftp	0.294743	4491	6659	SF	-	-	0	ShAdDaFf	22	5643	21	7759	(empty)
+1348168976.546371	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.011938	2135	3196	S1	-	-	0	ShADad	8	2559	6	3516	(empty)
+#close	2015-02-23-21-43-47
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
index 1685d9efea..ab5cd0d9bf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-23-15-59
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1078232251.833846	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	tcp	http,smtp	6.722274	1685	223	SF	-	0	ShADadfF	14	2257	16	944	(empty)
-#close	2014-04-01-23-15-59
+#open	2015-02-23-21-43-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1078232251.833846	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	tcp	http,smtp	6.722274	1685	223	SF	-	-	0	ShADadfF	14	2257	16	944	(empty)
+#close	2015-02-23-21-43-52
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
index 411e57f8ee..bfe8d8e5d9 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-05-01-19-07-07
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1311189318.898709	CjhGID4nQcgTWjvg4c	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	0	ShAdDaFf	28	1592	43	44452	(empty)
-1311189164.064603	CXWv6p3arKYeMETxOg	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	0	ShADdaf	63	3761	52	28194	(empty)
-#close	2014-05-01-19-07-07
+#open	2015-02-23-21-43-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1311189318.898709	CjhGID4nQcgTWjvg4c	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	-	0	ShAdDaFf	28	1592	43	44452	(empty)
+1311189164.064603	CXWv6p3arKYeMETxOg	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	-	0	ShADdaf	63	3761	52	28194	(empty)
+#close	2015-02-23-21-43-57
diff --git a/testing/btest/Baseline/signatures.eval-condition/conn.log b/testing/btest/Baseline/signatures.eval-condition/conn.log
index cc931ddbb4..7ee6f30b88 100644
--- a/testing/btest/Baseline/signatures.eval-condition/conn.log
+++ b/testing/btest/Baseline/signatures.eval-condition/conn.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-04-01-23-16-29
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
-1329843175.736107	CjhGID4nQcgTWjvg4c	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	CCvvfg3TEfuqmmG4bh	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	CsRx2w45OKnoww6xl4	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	CRJuHdVW0XPVINV8a	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	CXWv6p3arKYeMETxOg	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	0	ShAdDfFa	38	2164	25	4458	(empty)
-#close	2014-04-01-23-16-29
+#open	2015-02-23-21-45-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1329843175.736107	CjhGID4nQcgTWjvg4c	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	(empty)
+1329843179.871641	CCvvfg3TEfuqmmG4bh	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	(empty)
+1329843194.151526	CsRx2w45OKnoww6xl4	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	(empty)
+1329843197.783443	CRJuHdVW0XPVINV8a	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	(empty)
+1329843161.968492	CXWv6p3arKYeMETxOg	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	(empty)
+#close	2015-02-23-21-45-47
diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro
index 07906dab91..eb1411970b 100644
--- a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro
+++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro
@@ -25,6 +25,7 @@ CREATE TABLE conn (
 'resp_bytes' integer,
 'conn_state' text,
 'local_orig' boolean,
+'local_resp' boolean,
 'missed_bytes' integer,
 'history' text,
 'orig_pkts' integer,
@@ -33,40 +34,40 @@ CREATE TABLE conn (
 'resp_ip_bytes' integer,
 'tunnel_parents' text
 );
-INSERT INTO "conn" VALUES(1.30047516709653496744e+09,'dnGM1AdIVyh','141.142.220.202',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,73,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516709701204296e+09,'fv9q7WjEgp1','fe80::217:f2ff:fed7:cf65',5353,'ff02::fb',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,199,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516709981608392e+09,'0Ox0H56yl88','141.142.220.50',5353,'224.0.0.251',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,179,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885389900212e+09,'rvmSc7rDQub','141.142.220.118',43927,'141.142.2.2',53,'udp','dns',4.351139068603515625e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885437798497e+09,'ogkztouSArh','141.142.220.118',37676,'141.142.2.2',53,'udp','dns',4.20093536376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885483694076e+09,'0UIDdXFt7Tb','141.142.220.118',40526,'141.142.2.2',53,'udp','dns',3.9196014404296875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885795593258e+09,'WqFYV51UIq7','141.142.220.118',32902,'141.142.2.2',53,'udp','dns',3.17096710205078125e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885830593104e+09,'ylcqZpbz6K2','141.142.220.118',59816,'141.142.2.2',53,'udp','dns',3.430843353271484375e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885871291159e+09,'blhldTzA7Y6','141.142.220.118',59714,'141.142.2.2',53,'udp','dns',3.750324249267578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889164400098e+09,'Sc34cGJo3Kg','141.142.220.118',58206,'141.142.2.2',53,'udp','dns',3.39031219482421875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889203691487e+09,'RzvFrfXSRfk','141.142.220.118',38911,'141.142.2.2',53,'udp','dns',3.349781036376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889241409298e+09,'GaaFI58mpbe','141.142.220.118',59746,'141.142.2.2',53,'udp','dns',4.208087921142578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889398789407e+09,'tr7M6tvAIQa','141.142.220.118',45000,'141.142.2.2',53,'udp','dns',3.840923309326171875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889442205426e+09,'gV0TcSc2pb4','141.142.220.118',48479,'141.142.2.2',53,'udp','dns',3.168582916259765625e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889478707315e+09,'MOG0z4PYOhk','141.142.220.118',48128,'141.142.2.2',53,'udp','dns',4.22954559326171875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516890174889565e+09,'PlehgEduUyj','141.142.220.118',56056,'141.142.2.2',53,'udp','dns',4.022121429443359375e-04,36,131,'SF',NULL,0,'Dd',1,64,1,159,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516890219497676e+09,'4eZgk09f2Re','141.142.220.118',55092,'141.142.2.2',53,'udp','dns',3.740787506103515625e-04,36,198,'SF',NULL,0,'Dd',1,64,1,226,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516989943790432e+09,'3xwJPc7mQ9a','141.142.220.44',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,85,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047517086238408089e+09,'yxTcvvTKWQ4','141.142.220.226',137,'141.142.220.255',137,'udp','dns',2.61301684379577636718e+00,350,0,'S0',NULL,0,'D',7,546,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047517167537188525e+09,'8bLW3XNfhCj','fe80::3074:17d5:2052:c324',65373,'ff02::1:3',5355,'udp','dns',1.00096225738525390625e-01,66,0,'S0',NULL,0,'D',2,162,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047517167708110807e+09,'rqjhiiRPjEe','141.142.220.226',55131,'224.0.0.252',5355,'udp','dns',1.00020885467529296875e-01,66,0,'S0',NULL,0,'D',2,122,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047517311674904827e+09,'hTPyfL3QSGa','fe80::3074:17d5:2052:c324',54213,'ff02::1:3',5355,'udp','dns',9.980106353759765625e-02,66,0,'S0',NULL,0,'D',2,162,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047517311736202235e+09,'EruUQ9AJRj4','141.142.220.226',55671,'224.0.0.252',5355,'udp','dns',9.98489856719970703125e-02,66,0,'S0',NULL,0,'D',2,122,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047517315367889406e+09,'sw1bKJOMjuk','141.142.220.238',56641,'141.142.220.255',137,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,78,0,0,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516872400689127e+09,'NPHCuyWykE7','141.142.220.118',48649,'208.80.152.118',80,'tcp','http',1.19904994964599609375e-01,525,232,'S1',NULL,0,'ShADad',4,741,3,396,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889293599126e+09,'VapPqRhPgJ4','141.142.220.118',50000,'208.80.152.3',80,'tcp','http',2.29603052139282226562e-01,1148,734,'S1',NULL,0,'ShADad',6,1468,4,950,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885916304588e+09,'3607hh8C3bc','141.142.220.118',49998,'208.80.152.3',80,'tcp','http',2.15893030166625976562e-01,1130,734,'S1',NULL,0,'ShADad',6,1450,4,950,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516885530495647e+09,'tgYMrIvzDSg','141.142.220.118',49996,'208.80.152.3',80,'tcp','http',2.1850109100341796875e-01,1171,733,'S1',NULL,0,'ShADad',6,1491,4,949,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516889526700977e+09,'xQsjPwNBrXd','141.142.220.118',50001,'208.80.152.3',80,'tcp','http',2.27283954620361328125e-01,1178,734,'S1',NULL,0,'ShADad',6,1498,4,950,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516890263509747e+09,'Ap3GzMI1vM9','141.142.220.118',35642,'208.80.152.2',80,'tcp','http',1.200408935546875e-01,534,412,'S1',NULL,0,'ShADad',4,750,3,576,'(empty)');
-INSERT INTO "conn" VALUES(1300475168.85533,'FTVcgrmNy52','141.142.220.118',49997,'208.80.152.3',80,'tcp','http',2.19720125198364257812e-01,1125,734,'S1',NULL,0,'ShADad',6,1445,4,950,'(empty)');
-INSERT INTO "conn" VALUES(1.30047516978033089643e+09,'1xFx4PGdeq5','141.142.220.235',6705,'173.192.163.128',80,'tcp',NULL,NULL,NULL,NULL,'OTH',NULL,0,'h',0,0,1,48,'(empty)');
-INSERT INTO "conn" VALUES(1.3004751686520030498e+09,'WIG1ud65z22','141.142.220.118',35634,'208.80.152.2',80,'tcp',NULL,6.1328887939453125e-02,463,350,'OTH',NULL,0,'DdA',2,567,1,402,'(empty)');
-INSERT INTO "conn" VALUES(1.3004751688929131031e+09,'o2gAkl4V7sa','141.142.220.118',49999,'208.80.152.3',80,'tcp','http',2.20960855484008789062e-01,1137,733,'S1',NULL,0,'ShADad',6,1457,4,949,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516709653496744e+09,'dnGM1AdIVyh','141.142.220.202',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,73,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516709701204296e+09,'fv9q7WjEgp1','fe80::217:f2ff:fed7:cf65',5353,'ff02::fb',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,199,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516709981608392e+09,'0Ox0H56yl88','141.142.220.50',5353,'224.0.0.251',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,179,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885389900212e+09,'rvmSc7rDQub','141.142.220.118',43927,'141.142.2.2',53,'udp','dns',4.351139068603515625e-04,38,89,'SF',NULL,NULL,0,'Dd',1,66,1,117,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885437798497e+09,'ogkztouSArh','141.142.220.118',37676,'141.142.2.2',53,'udp','dns',4.20093536376953125e-04,52,99,'SF',NULL,NULL,0,'Dd',1,80,1,127,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885483694076e+09,'0UIDdXFt7Tb','141.142.220.118',40526,'141.142.2.2',53,'udp','dns',3.9196014404296875e-04,38,183,'SF',NULL,NULL,0,'Dd',1,66,1,211,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885795593258e+09,'WqFYV51UIq7','141.142.220.118',32902,'141.142.2.2',53,'udp','dns',3.17096710205078125e-04,38,89,'SF',NULL,NULL,0,'Dd',1,66,1,117,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885830593104e+09,'ylcqZpbz6K2','141.142.220.118',59816,'141.142.2.2',53,'udp','dns',3.430843353271484375e-04,52,99,'SF',NULL,NULL,0,'Dd',1,80,1,127,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885871291159e+09,'blhldTzA7Y6','141.142.220.118',59714,'141.142.2.2',53,'udp','dns',3.750324249267578125e-04,38,183,'SF',NULL,NULL,0,'Dd',1,66,1,211,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889164400098e+09,'Sc34cGJo3Kg','141.142.220.118',58206,'141.142.2.2',53,'udp','dns',3.39031219482421875e-04,38,89,'SF',NULL,NULL,0,'Dd',1,66,1,117,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889203691487e+09,'RzvFrfXSRfk','141.142.220.118',38911,'141.142.2.2',53,'udp','dns',3.349781036376953125e-04,52,99,'SF',NULL,NULL,0,'Dd',1,80,1,127,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889241409298e+09,'GaaFI58mpbe','141.142.220.118',59746,'141.142.2.2',53,'udp','dns',4.208087921142578125e-04,38,183,'SF',NULL,NULL,0,'Dd',1,66,1,211,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889398789407e+09,'tr7M6tvAIQa','141.142.220.118',45000,'141.142.2.2',53,'udp','dns',3.840923309326171875e-04,38,89,'SF',NULL,NULL,0,'Dd',1,66,1,117,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889442205426e+09,'gV0TcSc2pb4','141.142.220.118',48479,'141.142.2.2',53,'udp','dns',3.168582916259765625e-04,52,99,'SF',NULL,NULL,0,'Dd',1,80,1,127,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889478707315e+09,'MOG0z4PYOhk','141.142.220.118',48128,'141.142.2.2',53,'udp','dns',4.22954559326171875e-04,38,183,'SF',NULL,NULL,0,'Dd',1,66,1,211,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516890174889565e+09,'PlehgEduUyj','141.142.220.118',56056,'141.142.2.2',53,'udp','dns',4.022121429443359375e-04,36,131,'SF',NULL,NULL,0,'Dd',1,64,1,159,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516890219497676e+09,'4eZgk09f2Re','141.142.220.118',55092,'141.142.2.2',53,'udp','dns',3.740787506103515625e-04,36,198,'SF',NULL,NULL,0,'Dd',1,64,1,226,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516989943790432e+09,'3xwJPc7mQ9a','141.142.220.44',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,85,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047517086238408089e+09,'yxTcvvTKWQ4','141.142.220.226',137,'141.142.220.255',137,'udp','dns',2.61301684379577636718e+00,350,0,'S0',NULL,NULL,0,'D',7,546,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047517167537188525e+09,'8bLW3XNfhCj','fe80::3074:17d5:2052:c324',65373,'ff02::1:3',5355,'udp','dns',1.00096225738525390625e-01,66,0,'S0',NULL,NULL,0,'D',2,162,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047517167708110807e+09,'rqjhiiRPjEe','141.142.220.226',55131,'224.0.0.252',5355,'udp','dns',1.00020885467529296875e-01,66,0,'S0',NULL,NULL,0,'D',2,122,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047517311674904827e+09,'hTPyfL3QSGa','fe80::3074:17d5:2052:c324',54213,'ff02::1:3',5355,'udp','dns',9.980106353759765625e-02,66,0,'S0',NULL,NULL,0,'D',2,162,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047517311736202235e+09,'EruUQ9AJRj4','141.142.220.226',55671,'224.0.0.252',5355,'udp','dns',9.98489856719970703125e-02,66,0,'S0',NULL,NULL,0,'D',2,122,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047517315367889406e+09,'sw1bKJOMjuk','141.142.220.238',56641,'141.142.220.255',137,'udp','dns',NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,78,0,0,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516872400689127e+09,'NPHCuyWykE7','141.142.220.118',48649,'208.80.152.118',80,'tcp','http',1.19904994964599609375e-01,525,232,'S1',NULL,NULL,0,'ShADad',4,741,3,396,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889293599126e+09,'VapPqRhPgJ4','141.142.220.118',50000,'208.80.152.3',80,'tcp','http',2.29603052139282226562e-01,1148,734,'S1',NULL,NULL,0,'ShADad',6,1468,4,950,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885916304588e+09,'3607hh8C3bc','141.142.220.118',49998,'208.80.152.3',80,'tcp','http',2.15893030166625976562e-01,1130,734,'S1',NULL,NULL,0,'ShADad',6,1450,4,950,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516885530495647e+09,'tgYMrIvzDSg','141.142.220.118',49996,'208.80.152.3',80,'tcp','http',2.1850109100341796875e-01,1171,733,'S1',NULL,NULL,0,'ShADad',6,1491,4,949,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516889526700977e+09,'xQsjPwNBrXd','141.142.220.118',50001,'208.80.152.3',80,'tcp','http',2.27283954620361328125e-01,1178,734,'S1',NULL,NULL,0,'ShADad',6,1498,4,950,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516890263509747e+09,'Ap3GzMI1vM9','141.142.220.118',35642,'208.80.152.2',80,'tcp','http',1.200408935546875e-01,534,412,'S1',NULL,NULL,0,'ShADad',4,750,3,576,'(empty)');
+INSERT INTO "conn" VALUES(1300475168.85533,'FTVcgrmNy52','141.142.220.118',49997,'208.80.152.3',80,'tcp','http',2.19720125198364257812e-01,1125,734,'S1',NULL,NULL,0,'ShADad',6,1445,4,950,'(empty)');
+INSERT INTO "conn" VALUES(1.30047516978033089643e+09,'1xFx4PGdeq5','141.142.220.235',6705,'173.192.163.128',80,'tcp',NULL,NULL,NULL,NULL,'OTH',NULL,NULL,0,'h',0,0,1,48,'(empty)');
+INSERT INTO "conn" VALUES(1.3004751686520030498e+09,'WIG1ud65z22','141.142.220.118',35634,'208.80.152.2',80,'tcp',NULL,6.1328887939453125e-02,463,350,'OTH',NULL,NULL,0,'DdA',2,567,1,402,'(empty)');
+INSERT INTO "conn" VALUES(1.3004751688929131031e+09,'o2gAkl4V7sa','141.142.220.118',49999,'208.80.152.3',80,'tcp','http',2.20960855484008789062e-01,1137,733,'S1',NULL,NULL,0,'ShADad',6,1457,4,949,'(empty)');
 COMMIT;
 @TEST-END-FILE
 

From c199077f3b9fdfccab0d3035a8bc03a537eeea39 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 23 Feb 2015 16:27:02 -0800
Subject: [PATCH 072/109] Updating submodule(s).

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 7e15efe9d2..f2e34d731e 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 7e15efe9d28d46bfa662fcdd1cbb15ce1db285c9
+Subproject commit f2e34d731ed29bb993fbb065846faa342a8c824f

From 4c2e5fc8b20c97eda9edec3704da5c570ace82c4 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 23 Feb 2015 16:58:10 -0800
Subject: [PATCH 073/109] Updating NEWS.

---
 CHANGES | 4 ++++
 NEWS    | 3 +++
 VERSION | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 693ea4fcd4..855769b12f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-448 | 2015-02-23 16:58:10 -0800
+
+  * Updating NEWS. (Robin Sommer)
+
 2.3-447 | 2015-02-23 16:28:30 -0800
 
   * Fix potential crash in logging framework when deserializing
diff --git a/NEWS b/NEWS
index 8bb3af2523..8af6c38201 100644
--- a/NEWS
+++ b/NEWS
@@ -64,6 +64,9 @@ Changed Functionality
 - has_valid_octets: now uses a string_vec parameter instead of
   string_array.
 
+- conn.log gained a new field local_resp that works like local_orig,
+  just for the responder address of the connection.
+
 Deprecated Functionality
 ------------------------
 
diff --git a/VERSION b/VERSION
index e4a98f531b..dad089922d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-447
+2.3-448

From 3877b3e34bbf9df0adbd0a6eb7568f59e18c31d1 Mon Sep 17 00:00:00 2001
From: Mike Smiley <msmiley@alumni.rice.edu>
Date: Wed, 18 Feb 2015 20:53:59 -0500
Subject: [PATCH 074/109] add bytes recvd to Stats and stats.bro

use libpcap packet hdr.len to count bytes
---
 scripts/base/init-bare.bro    | 1 +
 scripts/policy/misc/stats.bro | 4 ++++
 src/bro.bif                   | 3 +++
 src/iosource/PktSrc.h         | 7 ++++++-
 src/iosource/pcap/Source.cc   | 9 ++++++---
 5 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 4a1bcfbe72..98997c75d1 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -440,6 +440,7 @@ type NetStats: record {
 	## packet capture system, this value may not be available and will then
 	## be always set to zero.
 	pkts_link:    count &default=0;
+	bytes_recvd:  count &default=0;	##< Bytes received by Bro.
 };
 
 ## Statistics about Bro's resource consumption.
diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro
index eb1ddb0202..a8a08bdcc1 100644
--- a/scripts/policy/misc/stats.bro
+++ b/scripts/policy/misc/stats.bro
@@ -39,6 +39,9 @@ export {
 		## Number of packets seen on the link since the last stats
 		## interval if reading live traffic.
 		pkts_link:     count     &log &optional;
+		## Number of bytes received since the last stats interval if
+		## reading live traffic.
+		bytes_recv:   count     &log &optional;
 	};
 
 	## Event to catch stats as they are written to the logging stream.
@@ -74,6 +77,7 @@ event check_stats(last_ts: time, last_ns: NetStats, last_res: bro_resources)
 		info$pkts_recv = ns$pkts_recvd - last_ns$pkts_recvd;
 		info$pkts_dropped = ns$pkts_dropped  - last_ns$pkts_dropped;
 		info$pkts_link = ns$pkts_link  - last_ns$pkts_link;
+		info$bytes_recv = ns$bytes_recvd  - last_ns$bytes_recvd;
 		}
 
 	Log::write(Stats::LOG, info);
diff --git a/src/bro.bif b/src/bro.bif
index 4e685eb84a..ed1ed97538 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1675,6 +1675,7 @@ function net_stats%(%): NetStats
 	unsigned int recv = 0;
 	unsigned int drop = 0;
 	unsigned int link = 0;
+	uint64 bytes = 0;
 
 	const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs());
 
@@ -1688,12 +1689,14 @@ function net_stats%(%): NetStats
 		recv += stat.received;
 		drop += stat.dropped;
 		link += stat.link;
+		bytes += stat.bytes;
 		}
 
 	RecordVal* ns = new RecordVal(net_stats);
 	ns->Assign(0, new Val(recv, TYPE_COUNT));
 	ns->Assign(1, new Val(drop, TYPE_COUNT));
 	ns->Assign(2, new Val(link, TYPE_COUNT));
+	ns->Assign(3, new Val(bytes, TYPE_COUNT));
 
 	return ns;
 	%}
diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h
index 378ac3f5ee..065bcd4bc3 100644
--- a/src/iosource/PktSrc.h
+++ b/src/iosource/PktSrc.h
@@ -38,7 +38,12 @@ public:
 		 */
 		unsigned int link;
 
-		Stats()	{ received = dropped = link = 0; }
+    /**
+     * Bytes received by source after filtering (w/o drops).
+     */
+    uint64 bytes;
+
+		Stats()	{ received = dropped = link = bytes = 0; }
 	};
 
 	/**
diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc
index a68f0ca322..09b4160c3f 100644
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@@ -180,6 +180,7 @@ bool PcapSource::ExtractNextPacket(Packet* pkt)
 	last_hdr = current_hdr;
 	last_data = data;
 	++stats.received;
+  stats.bytes += current_hdr.len;
 	return true;
 	}
 
@@ -219,7 +220,7 @@ bool PcapSource::SetFilter(int index)
 
 #ifndef HAVE_LINUX
 	// Linux doesn't clear counters when resetting filter.
-	stats.received = stats.dropped = stats.link = 0;
+	stats.received = stats.dropped = stats.link = stats.bytes = 0;
 #endif
 
 	return true;
@@ -230,7 +231,7 @@ void PcapSource::Statistics(Stats* s)
 	char errbuf[PCAP_ERRBUF_SIZE];
 
 	if ( ! (props.is_live && pd) )
-		s->received = s->dropped = s->link = 0;
+		s->received = s->dropped = s->link = s->bytes = 0;
 
 	else
 		{
@@ -238,7 +239,7 @@ void PcapSource::Statistics(Stats* s)
 		if ( pcap_stats(pd, &pstat) < 0 )
 			{
 			PcapError();
-			s->received = s->dropped = s->link = 0;
+			s->received = s->dropped = s->link = s->bytes = 0;
 			}
 
 		else
@@ -250,6 +251,8 @@ void PcapSource::Statistics(Stats* s)
 
 	s->received = stats.received;
 
+  s->bytes = stats.bytes;
+
 	if ( ! props.is_live )
 		s->dropped = 0;
 	}

From 98ab541087bd8c4683e2f6beef17235df8fe689b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 24 Feb 2015 10:20:55 -0600
Subject: [PATCH 075/109] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 aux/plugins | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index ccf606ef5d..07f23fbf94 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit ccf606ef5dcd2da55efcae2d15fe57fc0b438317
+Subproject commit 07f23fbf94c7859dc8cbe1129eba4ef11d97ff77
diff --git a/aux/plugins b/aux/plugins
index 14c78567d9..71d820e9d8 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 14c78567d971dc7fcdc84e36716a1ce5adaa2d56
+Subproject commit 71d820e9d8ca753fea8fb34ea3987993b28d79e4

From 5f308aeef2ca49fc9493ab4150ec6382e55fa4e8 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 24 Feb 2015 16:36:00 -0800
Subject: [PATCH 076/109] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/plugins  | 2 +-
 cmake        | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 87b7329093..33cb1f8e6b 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 87b732909383c6637437850a75012fe2e376fd10
+Subproject commit 33cb1f8e6bf2e33c2773e86b157e1f343ee85dc6
diff --git a/aux/bro-aux b/aux/bro-aux
index 07f23fbf94..c5e31c96e2 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 07f23fbf94c7859dc8cbe1129eba4ef11d97ff77
+Subproject commit c5e31c96e297a3bc3f7404f97ab86f0d0a93e4b4
diff --git a/aux/broccoli b/aux/broccoli
index 7dca802aa8..1d55a0a84c 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 7dca802aa8b803033dccc0e6ec9e92a98f709740
+Subproject commit 1d55a0a84c5b1d0aa1727829300b388c92f92daa
diff --git a/aux/broctl b/aux/broctl
index d1c3c5de0f..76f99ea52c 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit d1c3c5de0f4e8cff923c076ce39d72a86798dbde
+Subproject commit 76f99ea52c3e021cade3d03eda7865d4f4d1793e
diff --git a/aux/plugins b/aux/plugins
index 71d820e9d8..14c78567d9 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 71d820e9d8ca753fea8fb34ea3987993b28d79e4
+Subproject commit 14c78567d971dc7fcdc84e36716a1ce5adaa2d56
diff --git a/cmake b/cmake
index 8c121c8449..ff08be5aa1 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 8c121c844953026fbaf051a1b065c1671ed47c5b
+Subproject commit ff08be5aa1b8eaadbe2775cbc11b499c5f93349e

From a6b30457aa20d872202b91e5717753f6dfb4d373 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 24 Feb 2015 16:37:08 -0800
Subject: [PATCH 077/109] Updating submodule(s).

 [nomail]
---
 CHANGES     | 4 ++++
 VERSION     | 2 +-
 aux/bro-aux | 2 +-
 aux/plugins | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 855769b12f..cad5e26988 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-451 | 2015-02-24 16:37:08 -0800
+
+  * Updating submodule(s).
+
 2.3-448 | 2015-02-23 16:58:10 -0800
 
   * Updating NEWS. (Robin Sommer)
diff --git a/VERSION b/VERSION
index dad089922d..a8a700226f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-448
+2.3-451
diff --git a/aux/bro-aux b/aux/bro-aux
index c5e31c96e2..c9d340847c 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit c5e31c96e297a3bc3f7404f97ab86f0d0a93e4b4
+Subproject commit c9d340847c668590a450f1881e6e3d763abe1138
diff --git a/aux/plugins b/aux/plugins
index 14c78567d9..71d820e9d8 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 14c78567d971dc7fcdc84e36716a1ce5adaa2d56
+Subproject commit 71d820e9d8ca753fea8fb34ea3987993b28d79e4

From 897351f87ed6aafd0a931377f08b18bbf2a5d78a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 25 Feb 2015 13:57:04 -0800
Subject: [PATCH 078/109] Extend the weak-keys policy file to also alert when
 encountering ssl connections with old versions as well as unsafe cipher
 suites.

Also make the notice suppression handling of other ssl policy files
a tad more robust.
---
 .../policy/protocols/ssl/validate-certs.bro   |  9 +--
 .../policy/protocols/ssl/validate-ocsp.bro    |  3 +-
 scripts/policy/protocols/ssl/weak-keys.bro    | 58 ++++++++++++++++---
 .../notice-out.log                            | 33 +++++++++++
 .../notice.log                                | 12 ----
 .../policy/protocols/ssl/weak-keys.bro        |  7 ++-
 6 files changed, 95 insertions(+), 27 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
 delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log

diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 414f0d2a54..19b0b70806 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -12,16 +12,16 @@ export {
 		## invalid.
 		Invalid_Server_Cert
 	};
-	
+
 	redef record Info += {
 		## Result of certificate validation for this connection.
 		validation_status: string &log &optional;
 	};
-	
+
 	## MD5 hash values for recently validated chains along with the
 	## validation status message are kept in this table to avoid constant
 	## validation every time the same certificate chain is seen.
-	global recently_validated_certs: table[string] of string = table() 
+	global recently_validated_certs: table[string] of string = table()
 		&read_expire=5mins &synchronized &redef;
 }
 
@@ -33,6 +33,7 @@ event ssl_established(c: connection) &priority=3
 		return;
 
 	local chain_id = join_string_vec(c$ssl$cert_chain_fuids, ".");
+	local hash = c$ssl$cert_chain[0]$sha1;
 
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
@@ -57,7 +58,7 @@ event ssl_established(c: connection) &priority=3
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
 		        $sub=c$ssl$subject, $conn=c,
-		        $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status)]);
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
 		}
 	}
 
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 01b6853226..3beabbe59c 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -34,9 +34,10 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || !c$ssl?$ocsp_response )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 || !c$ssl?$ocsp_response )
 		return;
 
+	local hash = c$ssl$cert_chain[0]$sha1;
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
 		{
diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index 82cc3a2b5f..3f1b1fff62 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -1,5 +1,5 @@
-##! Generate notices when SSL/TLS connections use certificates or DH parameters
-##! that have potentially unsafe key lengths.
+##! Generate notices when SSL/TLS connections use certificates, DH parameters
+##! or cipher suites that are deemed to be insecure.
 
 @load base/protocols/ssl
 @load base/frameworks/notice
@@ -11,17 +11,20 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a server is using a potentially unsafe key.
 		Weak_Key,
+		## Indicates that a server is using a potentially unsafe version
+		Old_Version,
+		## Indicates that a server is using a potentially unsafe cipher
+		Weak_Cipher
 	};
 
-	## The category of hosts you would like to be notified about which have
-	## certificates that are going to be expiring soon.  By default, these
-	## notices will be suppressed by the notice framework for 1 day after a particular
-	## certificate has had a notice generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS,
-	## ALL_HOSTS, NO_HOSTS
+	## The category of hosts you would like to be notified about which are using weak
+	## keys/ciphers/protocol_versions.  By default, these notices will be suppressed
+	## by the notice framework for 1 day after a particular host has had a notice
+	## generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
 	const notify_weak_keys = LOCAL_HOSTS &redef;
 
 	## The minimal key length in bits that is considered to be safe. Any shorter
-	## (non-EC) key lengths will trigger the notice.
+	## (non-EC) key lengths will trigger a notice.
 	const notify_minimal_key_length = 2048 &redef;
 
 	## Warn if the DH key length is smaller than the certificate key length. This is
@@ -29,6 +32,17 @@ export {
 	## certificate key length. However, it is very common and cannot be avoided in some
 	## settings (e.g. with old jave clients).
 	const notify_dh_length_shorter_cert_length = T &redef;
+
+	## Warn if a server negotiates a SSL session with a protocol version smaller than
+	## the specified version. By default, the minimal version is TLSv10 because SSLv2
+	## and v3 have serious security issued.
+	## See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00
+	## To disable, set to SSLv20
+	const tls_minimum_version = TLSv10 &redef;
+
+	## Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
+	## encountering old export cipher suites, or RC4 (see RFC7465).
+	const unsafe_ciphers_regex = /(_EXPORT_)|(_RC4_)/ &redef;
 }
 
 # We check key lengths only for DSA or RSA certificates. For others, we do
@@ -43,6 +57,7 @@ event ssl_established(c: connection) &priority=3
 
 	local fuid = c$ssl$cert_chain_fuids[0];
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
+	local hash = c$ssl$cert_chain[0]$sha1;
 
 	if ( !cert?$key_type || !cert?$key_length )
 		return;
@@ -56,7 +71,32 @@ event ssl_established(c: connection) &priority=3
 		NOTICE([$note=Weak_Key,
 			$msg=fmt("Host uses weak certificate with %d bit key", key_length),
 			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$resp_h, c$id$resp_h, key_length)
+			$identifier=cat(c$id$resp_h, c$id$resp_h, hash, key_length)
+		]);
+	}
+
+# Check for old SSL versions and weak connection keys
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=3
+	{
+	if ( ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	if ( version < tls_minimum_version )
+		{
+		local minimum_string = version_strings[tls_minimum_version];
+		local host_string = version_strings[version];
+		NOTICE([$note=Old_Version,
+			$msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$resp_h, c$id$resp_h)
+		]);
+		}
+
+	if ( unsafe_ciphers_regex in c$ssl$cipher )
+		NOTICE([$note=Weak_Cipher,
+			$msg=fmt("Host established connection using unsafe ciper suite %s", c$ssl$cipher),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$resp_h, c$id$resp_h, c$ssl$cipher)
 		]);
 	}
 
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
new file mode 100644
index 0000000000..f39d2d2adb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
@@ -0,0 +1,33 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2015-02-25-21-37-10
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2015-02-25-21-37-10
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2015-02-25-21-37-10
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397165496.713940	CXWv6p3arKYeMETxOg	192.168.4.149	59062	91.227.4.92	443	-	-	-	tcp	SSL::Old_Version	Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10	-	192.168.4.149	91.227.4.92	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2015-02-25-21-37-11
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2015-02-25-21-37-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1170717505.734145	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Cipher	Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5	-	192.150.187.164	194.127.84.106	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 1024 bit key	-	192.150.187.164	194.127.84.106	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2015-02-25-21-37-11
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
deleted file mode 100644
index b44fb54b70..0000000000
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
+++ /dev/null
@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	notice
-#open	2014-04-27-07-15-32
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2014-04-27-07-15-32
diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
index 42ef2ecc16..f4d51f8016 100644
--- a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
@@ -1,5 +1,10 @@
 # @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
-# @TEST-EXEC: btest-diff notice.log
+# @TEST-EXEC: cp notice.log notice-out.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl-v2.trace %INPUT
+# @TEST-EXEC: cat notice.log >> notice-out.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat notice.log >> notice-out.log
+# @TEST-EXEC: btest-diff notice-out.log
 
 @load protocols/ssl/weak-keys
 

From 8e1bc8674b53ab1ec04cde2ab0539f71f387231f Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Thu, 26 Feb 2015 11:12:45 -0500
Subject: [PATCH 079/109] Revert spacing change that shouldn't have been
 included with the previous changeset ... should fix all of the plugin tests
 save hooks, which needs to be updated.

---
 src/plugin/Plugin.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 0c2d2dba40..6762046e8d 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -393,7 +393,7 @@ void Plugin::Describe(ODesc* d) const
 			type = "<unknown>";
 		}
 
-		d->Add("	");
+		d->Add("    ");
 		d->Add("[");
 		d->Add(type);
 		d->Add("] ");
@@ -408,7 +408,7 @@ void Plugin::Describe(ODesc* d) const
 		HookType hook = (*i).first;
 		int prio = (*i).second;
 
-		d->Add("	Implements ");
+		d->Add("    Implements ");
 		d->Add(hook_name(hook));
 		d->Add(" (priority ");
 		d->Add(prio);

From e2e1cac8923b60daadb79828e720f16f89997cf6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 26 Feb 2015 10:13:00 -0600
Subject: [PATCH 080/109] Update broker submodule.

---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 7645644f52..c7e7b246b4 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 7645644f52076176bbc6921a7557e5ed33efc01b
+Subproject commit c7e7b246b4a9bbddaaf1f2a4784a19d8f4a3e25d

From d7f5464a6cd3d662cfcb5764189554f1b21e76e2 Mon Sep 17 00:00:00 2001
From: Gilbert Clark <clarkg1@linux-xq75.site>
Date: Thu, 26 Feb 2015 11:25:11 -0500
Subject: [PATCH 081/109] Updating plugin.hooks baseline so that test succeeds

---
 testing/btest/Baseline/plugins.hooks/output | 1736 +++++++++----------
 1 file changed, 845 insertions(+), 891 deletions(-)

diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 927a64692f..399f962154 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -1,331 +1,308 @@
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MYSQL, 1434/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MYSQL, 3306/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MYSQL, 1434/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MYSQL, 3306/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MYSQL, {3306<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DHCP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNP3::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DPD::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (FTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Files::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (HTTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (IRC::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Intel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Modbus::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::ALARM_LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (RADIUS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Reporter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SMTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SNMP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SOCKS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSH::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSL::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Signatures::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Software::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Syslog::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Tunnel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Unified2::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Weird::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (X509::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (mysql::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::install, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Unified2::mappings_initialized, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Unified2::start_watching, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(bro_init, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(cat, (Packe, t, _, Filter)) -> <null>
-0.000000   MetaHookPost  CallFunction(current_time, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(fmt, (%s, PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(getenv, (CLUSTER_NODE)) -> <null>
-0.000000   MetaHookPost  CallFunction(install_pcap_filter, (PacketFilter::DefaultPcapFilter)) -> <null>
-0.000000   MetaHookPost  CallFunction(network_time, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_live_traffic, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(reading_traces, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> <null>
-0.000000   MetaHookPost  CallFunction(split_string1, (PacketFilter::LOG, <...>/)) -> <null>
-0.000000   MetaHookPost  CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) -> <null>
-0.000000   MetaHookPost  CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, (tFilter, 1, 1)) -> <null>
-0.000000   MetaHookPost  CallFunction(sub_bytes, (tFilter, 2, 7)) -> <null>
-0.000000   MetaHookPost  CallFunction(to_lower, (Packet_Filter)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_AYIYA5072<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP67<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP68<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP3_TCP20000<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP3_TCP20000<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS137<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5353<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5355<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP21<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP2811<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12123<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12152<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP1080<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP3128<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP631<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8000<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8080<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP80<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP81<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8888<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6666<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6667<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6668<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6669<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MODBUS502<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MYSQL1434<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MYSQL3306<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_RADIUS1812<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP25<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP587<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP161<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP162<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SOCKS1080<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSH22<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL443<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL5223<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL563<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL585<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL614<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL636<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL989<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL990<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL992<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL993<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL995<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SYSLOG514<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_TEREDO3544<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_AYIYA{5072<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DHCP{67<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3_TCP{20000<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3_TCP{20000<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_FTP{2811<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_GTPV1{2152<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_HTTP{631<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_IRC{6669<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MODBUS{502<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MYSQL{3306<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_RADIUS{1812<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SMTP{25<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SNMP{162<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SOCKS{1080<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSH{22<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSL{5223<...>/tcp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SYSLOG{514<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_TEREDO{3544<...>/udp)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_MYSQL, {3306<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SMTP, {25<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSH, {22/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, frame <nil>, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, frame <nil>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Cluster::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Communication::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Conn::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DHCP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DNP3::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DNS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame DPD::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame FTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Files::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame HTTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame IRC::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Intel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Modbus::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Notice::ALARM_LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Notice::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame PacketFilter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame RADIUS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Reporter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SMTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SNMP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SOCKS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SSH::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame SSL::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Signatures::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Software::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Syslog::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Tunnel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Unified2::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame Weird::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame X509::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, frame mysql::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, frame mysql::LOG[columns=<no value description>, ev=MySQL::log_mysql], (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::__write, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, frame mysql::LOG[columns=<no value description>, ev=MySQL::log_mysql], (mysql::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Cluster::LOG, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Communication::LOG, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Conn::LOG, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DHCP::LOG, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DNP3::LOG, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DNS::LOG, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame DPD::LOG, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame FTP::LOG, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Files::LOG, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame HTTP::LOG, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame IRC::LOG, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Intel::LOG, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Modbus::LOG, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Notice::ALARM_LOG, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Notice::LOG, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame PacketFilter::LOG, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame RADIUS::LOG, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Reporter::LOG, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SMTP::LOG, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SNMP::LOG, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SOCKS::LOG, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SSH::LOG, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame SSL::LOG, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Signatures::LOG, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Software::LOG, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Syslog::LOG, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Tunnel::LOG, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Unified2::LOG, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame Weird::LOG, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame X509::LOG, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::add_filter, frame mysql::LOG, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame <nil>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Log::write, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T])) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Notice::want_pp, frame Analyzer::ANALYZER_STEPPINGSTONE, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(PacketFilter::build, frame <nil><nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, frame [func=<uninitialized>]ip or not ip<nil><nil><nil>, (ip or not ip, and, )) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(PacketFilter::install, frame Analyzer::ANALYZER_STEPPINGSTONE, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::STD_DEV, SumStats::VARIANCE)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::VARIANCE, SumStats::AVERAGE)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, frame , (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, frame <nil>, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Unified2::mappings_initialized, frame Analyzer::ANALYZER_STEPPINGSTONE, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(Unified2::start_watching, frame Analyzer::ANALYZER_STEPPINGSTONE, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(bro_init, <null>, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(cat, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packe, (Packe, t, _, Filter)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1424967879.87543246.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip1424967879.875432<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(current_time, frame ip or not ip<nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(fmt, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(install_pcap_filter, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(network_time, frame ip or not ip1424967879.87543246.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, frame ip or not ip1424967879.875432<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(reading_live_traffic, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(reading_traces, frame , ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(reading_traces, frame <nil>, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(reading_traces, frame Analyzer::ANALYZER_STEPPINGSTONE, ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(reading_traces, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], ()) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(set_to_regex, frame <nil>, ({}, (^\.?|\.)(~~)$)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(split_string1, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(split_string_n, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG]<nil><nil>, (PacketFilter, <...>/, T, 4)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(string_to_pattern, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)()$, F)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(sub, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)(~~)$, <...>/, )) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packe, (tFilter, 1, 1)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packe, (tFilter, 2, 7)) -> wrapped(<null>)
+0.000000   MetaHookPost  CallFunction(to_lower, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packet_Filter, (Packet_Filter)) -> wrapped(<null>)
 0.000000   MetaHookPost  DrainEvents() -> <void>
 0.000000   MetaHookPost  LoadFile(../main) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
@@ -537,334 +514,311 @@
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_INTERCONN))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MYSQL, 1434/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_MYSQL, 3306/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MYSQL, 1434/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MYSQL, 3306/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MYSQL, {3306<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DHCP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DNP3::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DNS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DPD::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (FTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Files::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (HTTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (IRC::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Intel::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Modbus::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Notice::ALARM_LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Notice::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (RADIUS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Reporter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SMTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SNMP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SOCKS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SSH::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SSL::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Signatures::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Software::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Syslog::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Tunnel::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Unified2::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Weird::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (X509::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (mysql::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
-0.000000   MetaHookPre   CallFunction(PacketFilter::install, ())
-0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE))
-0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, ())
-0.000000   MetaHookPre   CallFunction(Unified2::mappings_initialized, ())
-0.000000   MetaHookPre   CallFunction(Unified2::start_watching, ())
-0.000000   MetaHookPre   CallFunction(bro_init, ())
-0.000000   MetaHookPre   CallFunction(cat, (Packe, t, _, Filter))
-0.000000   MetaHookPre   CallFunction(current_time, ())
-0.000000   MetaHookPre   CallFunction(filter_change_tracking, ())
-0.000000   MetaHookPre   CallFunction(fmt, (%s, PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(getenv, (CLUSTER_NODE))
-0.000000   MetaHookPre   CallFunction(install_pcap_filter, (PacketFilter::DefaultPcapFilter))
-0.000000   MetaHookPre   CallFunction(network_time, ())
-0.000000   MetaHookPre   CallFunction(precompile_pcap_filter, (PacketFilter::DefaultPcapFilter, ip or not ip))
-0.000000   MetaHookPre   CallFunction(reading_live_traffic, ())
-0.000000   MetaHookPre   CallFunction(reading_traces, ())
-0.000000   MetaHookPre   CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   CallFunction(split_string1, (PacketFilter::LOG, <...>/))
-0.000000   MetaHookPre   CallFunction(split_string_n, (PacketFilter, <...>/, T, 4))
-0.000000   MetaHookPre   CallFunction(string_to_pattern, ((^\.?|\.)()$, F))
-0.000000   MetaHookPre   CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, ))
-0.000000   MetaHookPre   CallFunction(sub_bytes, (tFilter, 1, 1))
-0.000000   MetaHookPre   CallFunction(sub_bytes, (tFilter, 2, 7))
-0.000000   MetaHookPre   CallFunction(to_lower, (Packet_Filter))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE))
+0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_AYIYA5072<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP67<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DHCP68<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP3_TCP20000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNP3_TCP20000<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS137<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5353<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS5355<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_DNS53<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP21<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_FTP2811<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12123<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_GTPV12152<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP3128<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP631<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP80<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP81<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_HTTP8888<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6666<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6667<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6668<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_IRC6669<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MODBUS502<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MYSQL1434<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_MYSQL3306<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_RADIUS1812<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP25<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SMTP587<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP161<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SNMP162<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SOCKS1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSH22<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL443<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL5223<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL563<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL585<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL614<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL636<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL989<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL990<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL992<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL993<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SSL995<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_SYSLOG514<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, frame Analyzer::ANALYZER_TEREDO3544<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_BACKDOOR, (Analyzer::ANALYZER_BACKDOOR))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_INTERCONN, (Analyzer::ANALYZER_INTERCONN))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_STEPPINGSTONE))
+0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, frame Analyzer::ANALYZER_TCPSTATS, (Analyzer::ANALYZER_TCPSTATS))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_AYIYA{5072<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DHCP{67<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3_TCP{20000<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNP3_TCP{20000<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_DNS{5355<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_FTP{2811<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_GTPV1{2152<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_HTTP{631<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_IRC{6669<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MODBUS{502<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_MYSQL{3306<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_RADIUS{1812<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SMTP{25<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SNMP{162<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SOCKS{1080<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSH{22<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SSL{5223<...>/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_SYSLOG{514<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, frame Analyzer::ANALYZER_TEREDO{3544<...>/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_MYSQL, {3306<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SMTP, {25<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSH, {22/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame <nil>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
+0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, frame <nil>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame <nil>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, frame Analyzer::ANALYZER_STEPPINGSTONE, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Cluster::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Communication::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Conn::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DHCP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DNP3::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DNS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame DPD::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame FTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Files::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame HTTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame IRC::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Intel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Modbus::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Notice::ALARM_LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Notice::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame PacketFilter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame RADIUS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Reporter::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SMTP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SNMP::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SOCKS::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SSH::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame SSL::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Signatures::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Software::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Syslog::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Tunnel::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Unified2::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame Weird::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame X509::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, frame mysql::LOG[name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, frame mysql::LOG[columns=<no value description>, ev=MySQL::log_mysql], (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
+0.000000   MetaHookPre   CallFunction(Log::__write, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Cluster::LOG[columns=<no value description>, ev=<uninitialized>], (Cluster::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Communication::LOG[columns=<no value description>, ev=<uninitialized>], (Communication::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Conn::LOG[columns=<no value description>, ev=Conn::log_conn], (Conn::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DHCP::LOG[columns=<no value description>, ev=DHCP::log_dhcp], (DHCP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DNP3::LOG[columns=<no value description>, ev=DNP3::log_dnp3], (DNP3::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DNS::LOG[columns=<no value description>, ev=DNS::log_dns], (DNS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame DPD::LOG[columns=<no value description>, ev=<uninitialized>], (DPD::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame FTP::LOG[columns=<no value description>, ev=FTP::log_ftp], (FTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Files::LOG[columns=<no value description>, ev=Files::log_files], (Files::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame HTTP::LOG[columns=<no value description>, ev=HTTP::log_http], (HTTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame IRC::LOG[columns=<no value description>, ev=IRC::irc_log], (IRC::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Intel::LOG[columns=<no value description>, ev=Intel::log_intel], (Intel::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Modbus::LOG[columns=<no value description>, ev=Modbus::log_modbus], (Modbus::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Notice::ALARM_LOG[columns=<no value description>, ev=<uninitialized>], (Notice::ALARM_LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Notice::LOG[columns=<no value description>, ev=Notice::log_notice], (Notice::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame PacketFilter::LOG[columns=<no value description>, ev=<uninitialized>], (PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame RADIUS::LOG[columns=<no value description>, ev=RADIUS::log_radius], (RADIUS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Reporter::LOG[columns=<no value description>, ev=<uninitialized>], (Reporter::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SMTP::LOG[columns=<no value description>, ev=SMTP::log_smtp], (SMTP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SNMP::LOG[columns=<no value description>, ev=SNMP::log_snmp], (SNMP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SOCKS::LOG[columns=<no value description>, ev=SOCKS::log_socks], (SOCKS::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SSH::LOG[columns=<no value description>, ev=SSH::log_ssh], (SSH::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame SSL::LOG[columns=<no value description>, ev=SSL::log_ssl], (SSL::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Signatures::LOG[columns=<no value description>, ev=Signatures::log_signature], (Signatures::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Software::LOG[columns=<no value description>, ev=Software::log_software], (Software::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Syslog::LOG[columns=<no value description>, ev=<uninitialized>], (Syslog::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Tunnel::LOG[columns=<no value description>, ev=<uninitialized>], (Tunnel::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Unified2::LOG[columns=<no value description>, ev=Unified2::log_unified2], (Unified2::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame Weird::LOG[columns=<no value description>, ev=Weird::log_weird], (Weird::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame X509::LOG[columns=<no value description>, ev=X509::log_x509], (X509::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, frame mysql::LOG[columns=<no value description>, ev=MySQL::log_mysql], (mysql::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Cluster::LOG, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Communication::LOG, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Conn::LOG, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DHCP::LOG, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DNP3::LOG, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DNS::LOG, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame DPD::LOG, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame FTP::LOG, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Files::LOG, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame HTTP::LOG, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame IRC::LOG, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Intel::LOG, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Modbus::LOG, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Notice::ALARM_LOG, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Notice::LOG, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame PacketFilter::LOG, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame RADIUS::LOG, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Reporter::LOG, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SMTP::LOG, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SNMP::LOG, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SOCKS::LOG, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SSH::LOG, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame SSL::LOG, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Signatures::LOG, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Software::LOG, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Syslog::LOG, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Tunnel::LOG, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Unified2::LOG, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame Weird::LOG, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame X509::LOG, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, frame mysql::LOG, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame <nil>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, frame Analyzer::ANALYZER_STEPPINGSTONE, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::LOG, [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Notice::want_pp, frame Analyzer::ANALYZER_STEPPINGSTONE, ())
+0.000000   MetaHookPre   CallFunction(PacketFilter::build, frame <nil><nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, frame [func=<uninitialized>]ip or not ip<nil><nil><nil>, (ip or not ip, and, ))
+0.000000   MetaHookPre   CallFunction(PacketFilter::install, frame Analyzer::ANALYZER_STEPPINGSTONE, ())
+0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::STD_DEV, SumStats::VARIANCE))
+0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, frame , (SumStats::VARIANCE, SumStats::AVERAGE))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, frame , (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
+0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(Unified2::mappings_initialized, frame Analyzer::ANALYZER_STEPPINGSTONE, ())
+0.000000   MetaHookPre   CallFunction(Unified2::start_watching, frame Analyzer::ANALYZER_STEPPINGSTONE, ())
+0.000000   MetaHookPre   CallFunction(bro_init, <null>, ())
+0.000000   MetaHookPre   CallFunction(cat, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packe, (Packe, t, _, Filter))
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip1424967879.87543246.0 usecs[ts=0.0, node=bro, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip1424967879.875432<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(current_time, frame ip or not ip<nil><nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+0.000000   MetaHookPre   CallFunction(fmt, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]<nil><nil><nil><nil>, (%s, PacketFilter::LOG))
+0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
+0.000000   MetaHookPre   CallFunction(install_pcap_filter, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], (PacketFilter::DefaultPcapFilter))
+0.000000   MetaHookPre   CallFunction(network_time, frame ip or not ip1424967879.87543246.0 usecs[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], ())
+0.000000   MetaHookPre   CallFunction(precompile_pcap_filter, frame ip or not ip1424967879.875432<nil>[ts=<uninitialized>, node=<uninitialized>, filter=<uninitialized>, init=F, success=T], (PacketFilter::DefaultPcapFilter, ip or not ip))
+0.000000   MetaHookPre   CallFunction(reading_live_traffic, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame , ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame <nil>, ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame Analyzer::ANALYZER_STEPPINGSTONE, ())
+0.000000   MetaHookPre   CallFunction(reading_traces, frame ip or not ip1424967879.87543246.0 usecs[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T], ())
+0.000000   MetaHookPre   CallFunction(set_to_regex, frame <nil>, ({}, (^\.?|\.)(~~)$))
+0.000000   MetaHookPre   CallFunction(split_string1, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG<nil><nil><nil>, (PacketFilter::LOG, <...>/))
+0.000000   MetaHookPre   CallFunction(split_string_n, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG]<nil><nil>, (PacketFilter, <...>/, T, 4))
+0.000000   MetaHookPre   CallFunction(string_to_pattern, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)()$, F))
+0.000000   MetaHookPre   CallFunction(sub, frame {}(^\.?|\.)(~~)$0<nil><nil>, ((^\.?|\.)(~~)$, <...>/, ))
+0.000000   MetaHookPre   CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packe, (tFilter, 1, 1))
+0.000000   MetaHookPre   CallFunction(sub_bytes, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packe, (tFilter, 2, 7))
+0.000000   MetaHookPre   CallFunction(to_lower, frame PacketFilter::LOG[ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T]PacketFilter::LOG[PacketFilter, LOG][Packe, tFilter, ]Packet_Filter, (Packet_Filter))
 0.000000   MetaHookPre   DrainEvents()
 0.000000   MetaHookPre   LoadFile(../main)
 0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
@@ -1269,7 +1223,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1363,8 +1317,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1424967879.875502, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1413,20 +1367,20 @@
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
 1362692526.869344   MetaHookPost  BroObjDtor(<void ptr>) -> <void>
-1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(net_stats, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> wrapped(<null>)
+1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> wrapped(<null>)
+1362692526.869344   MetaHookPost  CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ()) -> wrapped(<null>)
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> wrapped(<null>)
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
-1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, ())
-1362692526.869344   MetaHookPre   CallFunction(net_stats, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ())
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
@@ -1443,11 +1397,11 @@
 1362692526.869344 | HookQueueEvent filter_change_tracking()
 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
-1362692526.939084   MetaHookPost  CallFunction(connection_established, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> wrapped(<null>)
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
 1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
-1362692526.939084   MetaHookPre   CallFunction(connection_established, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
 1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
@@ -1461,32 +1415,32 @@
 1362692526.939378   MetaHookPre   UpdateNetworkTime(1362692526.939378)
 1362692526.939378  | HookUpdateNetworkTime 1362692526.939378
 1362692526.939378 | HookDrainEvents
-1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, (Analyzer::ANALYZER_HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, (Analyzer::ANALYZER_HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(fmt, (-%s, HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_request, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(network_time, ()) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(split_string1, (bro.org, <...>/)) -> <null>
+1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, frame Analyzer::ANALYZER_HTTP, (Analyzer::ANALYZER_HTTP)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3<nil>, (Analyzer::ANALYZER_HTTP)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(fmt, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3HTTP, (-%s, HTTP)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(network_time, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>][ts=<uninitialized>, uid=<uninitialized>, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>], trans_depth=<uninitialized>, method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], ()) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692526.939527   MetaHookPost  CallFunction(split_string1, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> wrapped(<null>)
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
 1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
@@ -1498,32 +1452,32 @@
 1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
-1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
-1362692526.939527   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692526.939527   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692526.939527   MetaHookPre   CallFunction(fmt, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
-1362692526.939527   MetaHookPre   CallFunction(http_request, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692526.939527   MetaHookPre   CallFunction(network_time, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
-1362692526.939527   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
-1362692526.939527   MetaHookPre   CallFunction(split_string1, (bro.org, <...>/))
+1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, frame Analyzer::ANALYZER_HTTP, (Analyzer::ANALYZER_HTTP))
+1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3<nil>, (Analyzer::ANALYZER_HTTP))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
+1362692526.939527   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692526.939527   MetaHookPre   CallFunction(fmt, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]Analyzer::ANALYZER_HTTP3HTTP, (-%s, HTTP))
+1362692526.939527   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
+1362692526.939527   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692526.939527   MetaHookPre   CallFunction(network_time, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>][ts=<uninitialized>, uid=<uninitialized>, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>], trans_depth=<uninitialized>, method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], ())
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
+1362692526.939527   MetaHookPre   CallFunction(split_string1, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
 1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
@@ -1578,36 +1532,36 @@
 1362692527.008509   MetaHookPre   UpdateNetworkTime(1362692527.008509)
 1362692527.008509  | HookUpdateNetworkTime 1362692527.008509
 1362692527.008509 | HookDrainEvents
-1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, (FakNcS1Jfe01uljb3)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, (FakNcS1Jfe01uljb3, 1048576)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(split_string_all, (HTTP, <...>/)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], (FakNcS1Jfe01uljb3)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]1048576, (FakNcS1Jfe01uljb3, 1048576)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]1.1200OK[pending={}, current_request=0, current_response=0]<nil>, (200, 100, 199)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692527.009512   MetaHookPost  CallFunction(split_string_all, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/)) -> wrapped(<null>)
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
 1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@@ -1624,36 +1578,36 @@
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
-1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, (FakNcS1Jfe01uljb3))
-1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, (FakNcS1Jfe01uljb3, 1048576))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
-1362692527.009512   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.009512   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(split_string_all, (HTTP, <...>/))
+1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], (FakNcS1Jfe01uljb3))
+1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]1048576, (FakNcS1Jfe01uljb3, 1048576))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]1.1200OK[pending={}, current_request=0, current_response=0]<nil>, (200, 100, 199))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009512   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(split_string_all, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
 1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1728,34 +1682,34 @@
 1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
 1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
 1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::__write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(file_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(fmt, (%s, Files::LOG)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(fmt, (%s, HTTP::LOG)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split_string1, (Files::LOG, <...>/)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split_string1, (HTTP::LOG, <...>/)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split_string_n, (Files, <...>/, T, 4)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(split_string_n, (HTTP, <...>/, T, 4)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(to_lower, (Files)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(to_lower, (HTTP)) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280], (200, 100, 199)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, <null>, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, <null>, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Log::write, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]<nil><nil><nil><nil>, (%s, Files::LOG)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]<nil><nil><nil><nil>, (%s, HTTP::LOG)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(split_string1, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(split_string1, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(split_string_n, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/, T, 4)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(split_string_n, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(to_lower, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]Files::LOG[Files, LOG][Files]Files, (Files)) -> wrapped(<null>)
+1362692527.009775   MetaHookPost  CallFunction(to_lower, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]HTTP::LOG[HTTP, LOG][HTTP]HTTP, (HTTP)) -> wrapped(<null>)
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
 1362692527.009775   MetaHookPost  QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> false
@@ -1763,34 +1717,34 @@
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009775   MetaHookPre   CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::__write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
-1362692527.009775   MetaHookPre   CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(fmt, (%s, Files::LOG))
-1362692527.009775   MetaHookPre   CallFunction(fmt, (%s, HTTP::LOG))
-1362692527.009775   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
-1362692527.009775   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.009775   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(split_string1, (Files::LOG, <...>/))
-1362692527.009775   MetaHookPre   CallFunction(split_string1, (HTTP::LOG, <...>/))
-1362692527.009775   MetaHookPre   CallFunction(split_string_n, (Files, <...>/, T, 4))
-1362692527.009775   MetaHookPre   CallFunction(split_string_n, (HTTP, <...>/, T, 4))
-1362692527.009775   MetaHookPre   CallFunction(to_lower, (Files))
-1362692527.009775   MetaHookPre   CallFunction(to_lower, (HTTP))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280], (200, 100, 199))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, <null>, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, <null>, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, frame [id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+1362692527.009775   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009775   MetaHookPre   CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
+1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]<nil><nil><nil><nil>, (%s, Files::LOG))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]<nil><nil><nil><nil>, (%s, HTTP::LOG))
+1362692527.009775   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009775   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]F[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009775   MetaHookPre   CallFunction(split_string1, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/))
+1362692527.009775   MetaHookPre   CallFunction(split_string1, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.009775   MetaHookPre   CallFunction(split_string_n, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text<...>/, T, 4))
+1362692527.009775   MetaHookPre   CallFunction(split_string_n, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4))
+1362692527.009775   MetaHookPre   CallFunction(to_lower, frame Files::LOG[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]Files::LOG[Files, LOG][Files]Files, (Files))
+1362692527.009775   MetaHookPre   CallFunction(to_lower, frame HTTP::LOG[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]HTTP::LOG[HTTP, LOG][HTTP]HTTP, (HTTP))
 1362692527.009775   MetaHookPre   DrainEvents()
 1362692527.009775   MetaHookPre   QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
@@ -1857,33 +1811,33 @@
 1362692527.080828   MetaHookPre   UpdateNetworkTime(1362692527.080828)
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
-1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(bro_done, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(fmt, (%s, Conn::LOG)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, (80/tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, (59856/tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(net_done, (1362692527.080972)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(net_stats, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(reading_traces, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(split_string1, (Conn::LOG, <...>/)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(split_string_n, (Conn, <...>/, T, 4)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(sub_bytes, (HTTP, 0, 1)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(to_lower, (Conn)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(to_lower, (HTTP)) -> <null>
+1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(Log::__write, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, <null>, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(fmt, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]<nil><nil><nil><nil>, (%s, Conn::LOG)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(net_done, <null>, (1362692527.080972)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ()) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(reading_traces, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]<nil>, ()) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(split_string1, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(split_string_n, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(sub_bytes, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTP, (HTTP, 0, 1)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(to_lower, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]Conn::LOG[Conn, LOG][Conn]Conn, (Conn)) -> wrapped(<null>)
+1362692527.080972   MetaHookPost  CallFunction(to_lower, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTPHTTP, (HTTP)) -> wrapped(<null>)
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
@@ -1891,33 +1845,33 @@
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
-1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(Log::__write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(bro_done, ())
-1362692527.080972   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, ())
-1362692527.080972   MetaHookPre   CallFunction(fmt, (%s, Conn::LOG))
-1362692527.080972   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, (80/tcp))
-1362692527.080972   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, (59856/tcp))
-1362692527.080972   MetaHookPre   CallFunction(net_done, (1362692527.080972))
-1362692527.080972   MetaHookPre   CallFunction(net_stats, ())
-1362692527.080972   MetaHookPre   CallFunction(reading_traces, ())
-1362692527.080972   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(split_string1, (Conn::LOG, <...>/))
-1362692527.080972   MetaHookPre   CallFunction(split_string_n, (Conn, <...>/, T, 4))
-1362692527.080972   MetaHookPre   CallFunction(sub_bytes, (HTTP, 0, 1))
-1362692527.080972   MetaHookPre   CallFunction(to_lower, (Conn))
-1362692527.080972   MetaHookPre   CallFunction(to_lower, (HTTP))
+1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(Log::__write, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, <null>, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::write, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(cat, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T1, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+1362692527.080972   MetaHookPre   CallFunction(fmt, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]<nil><nil><nil><nil>, (%s, Conn::LOG))
+1362692527.080972   MetaHookPre   CallFunction(fmt, frame [orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(id_string, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp))
+1362692527.080972   MetaHookPre   CallFunction(net_done, <null>, (1362692527.080972))
+1362692527.080972   MetaHookPre   CallFunction(net_stats, frame <nil><nil><nil><nil><nil><nil><nil>, ())
+1362692527.080972   MetaHookPre   CallFunction(reading_traces, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]<nil>, ())
+1362692527.080972   MetaHookPre   CallFunction(set_file_handle, frame Analyzer::ANALYZER_HTTP[id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]T[get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}], (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.080972   MetaHookPre   CallFunction(split_string1, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/))
+1362692527.080972   MetaHookPre   CallFunction(split_string_n, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/, T, 4))
+1362692527.080972   MetaHookPre   CallFunction(sub_bytes, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTP, (HTTP, 0, 1))
+1362692527.080972   MetaHookPre   CallFunction(to_lower, frame Conn::LOG[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]Conn::LOG[Conn, LOG][Conn]Conn, (Conn))
+1362692527.080972   MetaHookPre   CallFunction(to_lower, frame [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]HTTPHTTP, (HTTP))
 1362692527.080972   MetaHookPre   DrainEvents()
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())

From d8d13df406403f3e3f24c52d1237872a1b938fd4 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 2 Mar 2015 17:10:32 -0800
Subject: [PATCH 082/109] Updating docs for recent addition of local_resp.

---
 CHANGES                                           |  9 +++++++--
 VERSION                                           |  2 +-
 doc/scripting/index.rst                           |  2 +-
 .../output                                        |  1 +
 ...ude-scripts_base_protocols_conn_main_bro.btest | 15 ++++++++-------
 5 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6fd14a2dd7..50a0f465ce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-490 | 2015-03-02 17:11:10 -0800
+
+  * Updating docs for recent addition of local_resp. (Robin Sommer)
+
 2.3-489 | 2015-03-02 15:29:30 -0800
 
   * Integrate Broker, Bro's new communication library. (Jon Siwek)
@@ -8,8 +12,9 @@
 
     Broker support is by default off for now; it can be enabled at
     configure time with --enable-broker. It requires CAF
-    (https://github.com/actor-framework/actor-framework); for now
-    needs the "develop" branch. Broker also requires a C++11 compiler.
+    (https://github.com/actor-framework/actor-framework); for now iot
+    needs CAF's "develop" branch. Broker also requires a C++11
+    compiler.
 
     Broker will become a mandatory dependency in future Bro versions.
 
diff --git a/VERSION b/VERSION
index 3155627498..db60f45856 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-489
+2.3-490
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index fb1c1b67a1..11c2119df9 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -826,7 +826,7 @@ example of the ``record`` data type in the earlier sections, the
 ``conn.log``, is shown by the excerpt below.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/conn/main.bro
-   :lines: 10-12,16-17,19,21,23,25,28,31,35,38,57,63,69,92,95,99,102,106,110-111,116
+   :lines: 10-12,16-17,19,21,23,25,28,31,35,38,57,63,69,75,98,101,105,108,112,116-117,122
 
 Looking at the structure of the definition, a new collection of data
 types is being defined as a type called ``Info``.  Since this type
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output
index 9966341119..83e9d5bea1 100644
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output
@@ -17,6 +17,7 @@ export {
 		resp_bytes:   count           &log &optional;
 		conn_state:   string          &log &optional;
 		local_orig:   bool            &log &optional;
+		local_resp:   bool            &log &optional;
 		missed_bytes: count           &log &default=0;
 		history:      string          &log &optional;
 		orig_pkts:     count      &log &optional;
diff --git a/testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest b/testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest
index 4b15400080..83e9d5bea1 100644
--- a/testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest
@@ -18,11 +18,12 @@ export {
 		conn_state:   string          &log &optional;
 		local_orig:   bool            &log &optional;
 		local_resp:   bool            &log &optional;
-		##
-		## lower-case. Multiple packets of the same type will only be
-		## Number of packets that the originator sent.
-		## Number of IP level bytes that the originator sent (as seen on
-		## Number of packets that the responder sent.
-		## the wire, taken from the IP total_length header field).
-		## Only set if :bro:id:`use_conn_size_analyzer` = T.
+		missed_bytes: count           &log &default=0;
+		history:      string          &log &optional;
+		orig_pkts:     count      &log &optional;
+		orig_ip_bytes: count      &log &optional;
+		resp_pkts:     count      &log &optional;
+		resp_ip_bytes: count      &log &optional;
 		tunnel_parents: set[string] &log;
+	};
+}

From e8bf56004b65e2ffa14c40cee0676b53133ba822 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 2 Mar 2015 17:12:56 -0800
Subject: [PATCH 083/109] Updating submodule(s).

 [nomail]
---
 CHANGES      | 2 +-
 VERSION      | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 50a0f465ce..d6543d41ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.3-490 | 2015-03-02 17:11:10 -0800
+2.3-491 | 2015-03-02 17:12:56 -0800
 
   * Updating docs for recent addition of local_resp. (Robin Sommer)
 
diff --git a/VERSION b/VERSION
index db60f45856..9458e18d9d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-490
+2.3-491
diff --git a/aux/binpac b/aux/binpac
index 33cb1f8e6b..ab50e5115b 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 33cb1f8e6bf2e33c2773e86b157e1f343ee85dc6
+Subproject commit ab50e5115bc0d217552a63f15382e45ed608f5fc
diff --git a/aux/bro-aux b/aux/bro-aux
index c9d340847c..52b273db79 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit c9d340847c668590a450f1881e6e3d763abe1138
+Subproject commit 52b273db79298daf5024d2d3d94824e7ab73a782
diff --git a/aux/broccoli b/aux/broccoli
index 1d55a0a84c..45276b39a9 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 1d55a0a84c5b1d0aa1727829300b388c92f92daa
+Subproject commit 45276b39a946d70095c983753cd321ad07dcf285
diff --git a/aux/broctl b/aux/broctl
index 76f99ea52c..95b48726af 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 76f99ea52c3e021cade3d03eda7865d4f4d1793e
+Subproject commit 95b48726af25dad03e0c89029c3a4aaa739e4fed
diff --git a/aux/broker b/aux/broker
index 8f7b32e773..8cc208192b 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 8f7b32e773976fec513ce15237a7e0fdb05b0ebd
+Subproject commit 8cc208192b4b692a082e22c8dd89c44f69e824d7

From 252d57fd2cdd081557fb4a439bdc1d984501faf5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 3 Mar 2015 16:09:54 -0800
Subject: [PATCH 084/109] extract most specific common name from certificates

---
 scripts/base/init-bare.bro              |  1 +
 src/file_analysis/analyzer/x509/X509.cc | 41 +++++++++++++++++++------
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 9d790e1e09..41acd51781 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2778,6 +2778,7 @@ export {
 		serial: string;	##< Serial number.
 		subject: string;	##< Subject.
 		issuer: string;	##< Issuer.
+		cn: string &optional; ##< Last (most specific) common name.
 		not_valid_before: time;	##< Timestamp before when certificate is not valid.
 		not_valid_after: time;	##< Timestamp after when certificate is not valid.
 		key_alg: string;	##< Name of the key algorithm
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 69f399c9dc..5c14ff8863 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -104,13 +104,34 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	len = BIO_gets(bio, buf, sizeof(buf));
 	pX509Cert->Assign(2, new StringVal(len, buf));
 	BIO_reset(bio);
+
+	X509_NAME *subject_name = X509_get_subject_name(ssl_cert);
+	// extract the most specific (last) common name from the subject
+	int namepos = -1;
+	for ( ;; )
+		{
+		int j = X509_NAME_get_index_by_NID(subject_name, NID_commonName, namepos);
+		if ( j == -1 )
+			break;
+
+		namepos = j;
+		}
+	if ( namepos != -1 )
+		{
+		// we found a common name
+		ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, namepos)));
+		len = BIO_gets(bio, buf, sizeof(buf));
+		pX509Cert->Assign(4, new StringVal(len, buf));
+		BIO_reset(bio);
+		}
+
 	X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, buf, sizeof(buf));
 	pX509Cert->Assign(3, new StringVal(len, buf));
 	BIO_free(bio);
 
-	pX509Cert->Assign(4, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
-	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
 
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
@@ -118,28 +139,28 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->cert_info->key->algor->algorithm) )
 		buf[0] = 0;
 
-	pX509Cert->Assign(6, new StringVal(buf));
+	pX509Cert->Assign(7, new StringVal(buf));
 
 	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->sig_alg->algorithm) )
 		buf[0] = 0;
 
-	pX509Cert->Assign(7, new StringVal(buf));
+	pX509Cert->Assign(8, new StringVal(buf));
 
 	// Things we can do when we have the key...
 	EVP_PKEY *pkey = X509_extract_key(ssl_cert);
 	if ( pkey != NULL )
 		{
 		if ( pkey->type == EVP_PKEY_DSA )
-			pX509Cert->Assign(8, new StringVal("dsa"));
+			pX509Cert->Assign(9, new StringVal("dsa"));
 
 		else if ( pkey->type == EVP_PKEY_RSA )
 			{
-			pX509Cert->Assign(8, new StringVal("rsa"));
+			pX509Cert->Assign(9, new StringVal("rsa"));
 
 			char *exponent = BN_bn2dec(pkey->pkey.rsa->e);
 			if ( exponent != NULL )
 				{
-				pX509Cert->Assign(10, new StringVal(exponent));
+				pX509Cert->Assign(11, new StringVal(exponent));
 				OPENSSL_free(exponent);
 				exponent = NULL;
 				}
@@ -147,14 +168,14 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 #ifndef OPENSSL_NO_EC
 		else if ( pkey->type == EVP_PKEY_EC )
 			{
-			pX509Cert->Assign(8, new StringVal("ecdsa"));
-			pX509Cert->Assign(11, KeyCurve(pkey));
+			pX509Cert->Assign(9, new StringVal("ecdsa"));
+			pX509Cert->Assign(12, KeyCurve(pkey));
 			}
 #endif
 
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
-			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
+			pX509Cert->Assign(10, new Val(length, TYPE_COUNT));
 
 		EVP_PKEY_free(pkey);
 		}

From e48c6ccc4a2400f1615619707ec0f954af70ffe7 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 3 Mar 2015 16:38:25 -0800
Subject: [PATCH 085/109] Do not log common name by default (it is most
 interesting for scripts) and add a test case.

---
 scripts/base/init-bare.bro                    |  26 +++++++++---------
 .../.stdout                                   |   3 ++
 testing/btest/Traces/tls/cert-no-cn.pcap      | Bin 0 -> 3091 bytes
 .../base/protocols/ssl/common_name.test       |  13 +++++++++
 4 files changed, 29 insertions(+), 13 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout
 create mode 100644 testing/btest/Traces/tls/cert-no-cn.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/common_name.test

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 41acd51781..d35ecc3f02 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2774,20 +2774,20 @@ export {
 module X509;
 export {
 	type Certificate: record {
-		version: count;	##< Version number.
-		serial: string;	##< Serial number.
-		subject: string;	##< Subject.
-		issuer: string;	##< Issuer.
+		version: count &log;	##< Version number.
+		serial: string &log;	##< Serial number.
+		subject: string &log;	##< Subject.
+		issuer: string &log;	##< Issuer.
 		cn: string &optional; ##< Last (most specific) common name.
-		not_valid_before: time;	##< Timestamp before when certificate is not valid.
-		not_valid_after: time;	##< Timestamp after when certificate is not valid.
-		key_alg: string;	##< Name of the key algorithm
-		sig_alg: string;	##< Name of the signature algorithm
-		key_type: string &optional;	##< Key type, if key parseable by openssl (either rsa, dsa or ec)
-		key_length: count &optional;	##< Key length in bits
-		exponent: string &optional;	##< Exponent, if RSA-certificate
-		curve: string &optional;	##< Curve, if EC-certificate
-	} &log;
+		not_valid_before: time &log;	##< Timestamp before when certificate is not valid.
+		not_valid_after: time &log;	##< Timestamp after when certificate is not valid.
+		key_alg: string &log;	##< Name of the key algorithm
+		sig_alg: string &log;	##< Name of the signature algorithm
+		key_type: string &optional &log;	##< Key type, if key parseable by openssl (either rsa, dsa or ec)
+		key_length: count &optional &log;	##< Key length in bits
+		exponent: string &optional &log;	##< Exponent, if RSA-certificate
+		curve: string &optional &log;	##< Curve, if EC-certificate
+	};
 
 	type Extension: record {
 		name: string;	##< Long name of extension. oid if name not known
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout
new file mode 100644
index 0000000000..0642f10875
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout
@@ -0,0 +1,3 @@
+*.gstatic.com
+Google Internet Authority
+No CN
diff --git a/testing/btest/Traces/tls/cert-no-cn.pcap b/testing/btest/Traces/tls/cert-no-cn.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d208c696b5627ae51fe6321542081cebd5a383f9
GIT binary patch
literal 3091
zcmaKu2{=@38^@nBXJ#zfmucE4=FOfnp%Bt0MIu6Pi}ux0iK1dm8Ouoay^!qMOQbKS
z)hH^BYO;LxFp`pZsb1f6_$tZOT-SYF^IYeg-*cb;{Xh5pRNudvP6A}`{Wm-e00I};
zYx*6gJ_leW{7=OBTeW5>jRiCvA7Pj%SO$Pe;Tv;cP7U+H<4P1@sAWs26lrs?5l|ZG
zpv*u#03<TyI+-LY9>?LlAub>&DngJe#*jyuqx?}a00eo7JwYYtDn;26xy9GqARS4Q
zGmN;l^e0(h(G^e7zmq9d04#<(5%F8j`h_(kIkU#)j6k|OO9r$JoQ63fqxlkKBG>CR
z04#u#5HX&J=oHoxL@sASA|15-6a0f%M-XW!0{S571ByEIugUiO0E}JK)w`Bx?^u-h
z)n|@XdXY`)CdJqOhm0!$IEiDpHm;5{a0Of(WPnt#59|d-zz_t3Abc)92iL@B<I*?<
zoB^i50NyW$ivk*u$0czTh~v7r7OsY?;_|o{I0w#xT~Js(Fc&0&L|DS5I1|^wHSoW1
zDVz*afC<nAabOV;!DVp~TmmNn3N*$rOm+#F1jr~rNI)Ej0xFmS=wLEXg%V2w6)=;E
zP)Ssjf>1~ll#Gx`WE4eE5{i-#5{ZN&2#|)N5>i^!{w&UKW!HBeB%~B>8CQ09SoR@U
z9N#JGqf$Z{lVHi~2x5U40#qqrB*qgdiq1m>vCV%%A|3d4zy3kYB8WtB3`hVlQN*F&
zUV6GA>kP`1STR4=<(}t>byTOT^o|ONJKo63g7W~D0f<3ypgd3r_#`Sa37{xIp*O!_
zY|<dcMw-$_G!O$rld}{k$x5FvNvfD8$C5K3i69gTz~q^-m^2k#OBR<9b=cu~Xo<(c
z{g~2ZNu~j&hv{RO9uqV88!qR;rQZLS6F<a8RK~&)3P9P2G=NEnli08X<&j*c?EHf2
zicMFvcIH=On@{kftwU(Wy=3(VkL7|@O&=Ro<a#ORnG`m^^SOL^om@1-5&d@0Wt}Ng
z@r|IixXZ1qz9?8k)yq&mo1E!$de*`Uem~Fb*n^$}{yU?47j9wr(6*{<#*;-iE-ZJx
zxXVcxS9+<keyG#Ed)s35Y0>9x=fAq!5ps7Mwe#eStA_2CZX3VhxyA>wkDEItxkt87
z-pz65*lg?^)(mkuaVpa?$D>1k`GGw~j{>=_5AOVBzrKMddZXc?)4rNmsqHa&1^+DL
z9>!FTobJ>YSWL_8-EoxN=J<jiE-~AYu3`Bq^FM)eFR5B{OOLhXM4Y|-_w`TEhXBd2
z#cZ${Q12O1WExqa>2qN8!<8|9+6OhCBdJeh5(1LvV9La0RWco;u_nGjg1AAROu?YD
zhsSCT3ko$yfTTR%y|<Fl_Nb|#*rArasdQjNPw!PvR?^WTJa?d7B8;zgYsUJ2Yd`1G
zk;knSpVsolOqAcZv<ya(<rjzBz3n|;{jw}AwmE&l>n)rTuEpT}%?*rZ^GS2FqmD;7
zP4ft%?sDDgrV~B62+z0e6ylGi2SQy3iv?C%?}uL+GmpGc^ze(It#Q*(x_m|8H1omn
zOu2^EtuaA2&#$(~>U$L!nfK<4mzlF&pq$OXRs(m9XylNU@3zW5W}(rCM??0dSv!Z@
zwmqzREmzxOSoJFYtC$hphpBaAXIM^t=&T(5j;fg}7R-*!H>rF<&9~oVGWBQ@SG_sp
z$=c+Ic?)Mg#k1kJfSi&5NC+^maW<j72~-Jr-g?Q)!}@Vly;YlD5&4UBcT7)8=u))X
z$-<VuC$U!JwYS>7bNp(#W_n+}lBjjR0GJ(HeyBr_XgTJd4jrL^HE-JkE~PqG(obb1
zT5R*)(1KrGR@))C7GMpk#5&t`JeFw8>pH8lkM~v(n5wIoqxY<j)wF)@&BO?21lX)P
z_x^%%WNm(qpTUQ6_Z+8;Cl--m>2XpaC*ohqvyGL{IIj6(x8T+amF0nwvqS1U!masc
z8SYgtT93zfn4R7rRW%FjPV5pSD)0~Q*9tbjC>fs6`>j`e)orQ!3*T#p(iWFi4VG^H
z$h#-Ms-ZwLFm+F3xPt`tZbq<=V(Q(nlVV>l@UkY;jk<L@SMM*ocRB0Kk@D^MB%#-d
zy={I;>88AArDfr|cV^qTp6Ugzr^Oh__j3xB)b^2fwK|Dz{j5=JSX|W0NO@Uuxy#Zp
zHmY-Th4aH0ulm@QPNB!@>Kk(u^2)B2mz{0wBI~QkI58NvJk94hEdBQt$CZ2``zZ}0
z`WjgZwriqgii#tDnviuw%M9}yH_wK0i;GsnCj4d0gzSKgIEx^f$|8UV=|qg5kl<Ef
zJwfCSOh}}IFaIe1n2<t(NF-|^LktS@i_*<ja}Ku5rrOeZzBk1`o;)1DGKsq0XYei~
zbJrGnb?D2rZ2fu>e@QHp=X2ozqeQk@YeQbSZ_$|uR!?QqA_d~3M+hM1AAF3dwRyc&
zLVF&)sSyv+pAlAK6)7Qnc}13`+qdehdz4Ige+^|_f_+fj{P#Hzi1$)dK!7&v??j9r
zE{Kxz7vjA-y?z}oMXR+rOcsj{*d^C~43``@T!cg#dGMf>1yuqd&GoKTt1q{EuWym1
zfn`CNp)lYni6?En(c@xeNHopmv3<kTx>7CQd3zDZ`^V$OmQuA)yRVg|Y@uPMV%rPe
zo|vgV#+tEat8Oi#^t|YkElB=6<UKUqHGS(P>Gka&*?8RB;%AF1s5RF&O-U#SV4U^N
zw6`<jK2mC^^R#(&Io?0W=Cd`6j1S2yBf0ACz_iS#SAF~-xkqk`bIiK~eYZ8nXxEl4
zuv0#GRcBIK)w6m=<KA3Bic#;U-SclQ(peswP@?M<<|k(9_RxsmvR%Q3<H{$rGraIe
zm;HCdWygN?1e29pTx`UWL8O1WEJzM|A}0qDUDQeN00TziH<zs|Y#1RrPDrFf;`Q$?
z<4z%nim)0p^NuF_u=w6y{1)5DwTxM`n;*@sg%`^0U8PbiTn3Z;h;9AgwtqNKHjZrT
zJ8s*|kr$C2`y!*;62!GyKZ)aQ1@xW25=7yqUu{)v1Z|bYk_BvWo$t2l5yWx0QwZY8
eF~r}b(JyQo$#L94otXu5H2zg=?o@$AkKli7;>VBx

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/common_name.test b/testing/btest/scripts/base/protocols/ssl/common_name.test
new file mode 100644
index 0000000000..fa14e19045
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/common_name.test
@@ -0,0 +1,13 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/cert-no-cn.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+	{
+	if ( cert?$cn )
+		print cert$cn;
+	else
+		print "No CN";
+	}

From 946f19fb9da0f64c4e71c20e458e7dae4d2b75da Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 3 Mar 2015 17:13:55 -0800
Subject: [PATCH 086/109] Use our new features to send the CN and SAN fields of
 certificates to the intel framework.

---
 scripts/policy/frameworks/intel/seen/ssl.bro  | 13 +++++++++++
 scripts/policy/frameworks/intel/seen/x509.bro | 10 +++++++++
 .../intel-all.log                             | 22 +++++++++++++++++++
 .../policy/frameworks/intel/seen/certs.bro    | 18 +++++++++++++++
 4 files changed, 63 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
 create mode 100644 testing/btest/scripts/policy/frameworks/intel/seen/certs.bro

diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.bro
index 70c70f5b71..7bfbef4e9b 100644
--- a/scripts/policy/frameworks/intel/seen/ssl.bro
+++ b/scripts/policy/frameworks/intel/seen/ssl.bro
@@ -10,3 +10,16 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
 		             $conn=c,
 		             $where=SSL::IN_SERVER_NAME]);
 	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
+		Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
+			$indicator_type=Intel::DOMAIN,
+			$conn=c,
+			$where=X509::IN_CERT]);
+	}
diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.bro
index 11e4d57f90..3e235e085f 100644
--- a/scripts/policy/frameworks/intel/seen/x509.bro
+++ b/scripts/policy/frameworks/intel/seen/x509.bro
@@ -2,6 +2,16 @@
 @load base/files/x509
 @load ./where-locations
 
+event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
+	{
+	if ( ext?$dns )
+		for ( i in ext$dns )
+			Intel::seen([$indicator=ext$dns[i],
+				$indicator_type=Intel::DOMAIN,
+				$f=f,
+				$where=X509::IN_CERT]);
+	}
+
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
 	{
 	if ( /emailAddress=/ in cert$subject )
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
new file mode 100644
index 0000000000..8782898d33
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -0,0 +1,22 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2015-03-04-01-12-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
+1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	-	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
+#close	2015-03-04-01-12-47
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2015-03-04-01-12-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
+1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+#close	2015-03-04-01-12-47
diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro
new file mode 100644
index 0000000000..afddc6b2d9
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdsa-cert.pcap %INPUT
+# @TEST-EXEC: cat intel.log > intel-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat intel.log >> intel-all.log
+# @TEST-EXEC: btest-diff intel-all.log
+
+@TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+www.pantz.org	Intel::DOMAIN	source1	test entry	http://some-data-distributor.com/100000
+www.dresdner-privat.de	Intel::DOMAIN	source1	test entry	http://some-data-distributor.com/100000
+@TEST-END-FILE
+
+@load base/frameworks/intel
+@load base/protocols/ssl
+@load frameworks/intel/seen
+
+redef Intel::read_files += { "intel.dat" };
+

From bfaf41310c7dc150845056dc79d96b12c679b5c3 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Wed, 4 Mar 2015 12:24:10 -0800
Subject: [PATCH 087/109] Updating submodule(s).

 [nomail]
---
 NEWS       | 4 ++++
 aux/broctl | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index be899e44d3..ec94bd10fe 100644
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,8 @@ New Functionality
 - The SSL analysis now alert when encountering SSL connections with
   old protocol versions or unsafe cipher suites.
 
+- [TODO] Add new BroControl features.
+
 Changed Functionality
 ---------------------
 
@@ -89,6 +91,8 @@ Changed Functionality
 - conn.log gained a new field local_resp that works like local_orig,
   just for the responder address of the connection.
 
+- [TODO] Add changed BroControl features.
+
 Deprecated Functionality
 ------------------------
 
diff --git a/aux/broctl b/aux/broctl
index 95b48726af..f7b9ef4d24 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 95b48726af25dad03e0c89029c3a4aaa739e4fed
+Subproject commit f7b9ef4d245114180c5932f362310632b8cf5174

From d2747547b7d2185abefd9ac94c39d615dcfdb3b0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 4 Mar 2015 16:19:14 -0600
Subject: [PATCH 088/109] Adapt to a broker API change.

---
 aux/broker         | 2 +-
 src/comm/store.bif | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/aux/broker b/aux/broker
index 8cc208192b..98da283ba2 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 8cc208192b4b692a082e22c8dd89c44f69e824d7
+Subproject commit 98da283ba2bc4dc20e67830395299defc21724db
diff --git a/src/comm/store.bif b/src/comm/store.bif
index 02aa5b8564..745b044be5 100644
--- a/src/comm/store.bif
+++ b/src/comm/store.bif
@@ -164,13 +164,12 @@ function Store::insert%(h: opaque of Store::Handle,
 	auto& val = comm::opaque_field_to_data(v->AsRecordVal(), frame);
 
 	using broker::store::expiration_time;
-	broker::util::optional<expiration_time> expiry;
 
 	auto abs_expiry_val = e->AsRecordVal()->Lookup(0);
 
 	if ( abs_expiry_val )
 		{
-		expiry = expiration_time(abs_expiry_val->AsTime());
+		auto expiry = expiration_time(abs_expiry_val->AsTime());
 		handle->store->insert(key, val, expiry);
 		return new Val(true, TYPE_BOOL);
 		}
@@ -180,12 +179,12 @@ function Store::insert%(h: opaque of Store::Handle,
 	if ( rel_expiry_val )
 		{
 		auto ct = broker::time_point::now().value;
-		expiry = expiration_time(rel_expiry_val->AsInterval(), ct);
+		auto expiry = expiration_time(rel_expiry_val->AsInterval(), ct);
 		handle->store->insert(key, val, expiry);
 		return new Val(true, TYPE_BOOL);
 		}
 
-	handle->store->insert(key, val, expiry);
+	handle->store->insert(key, val);
 	return new Val(true, TYPE_BOOL);
 	%}
 

From 4f918f1f98a85066d1970207085ed0459d922275 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 5 Mar 2015 11:46:55 -0600
Subject: [PATCH 089/109] Improve some broker communication unit tests.

For testing data store queries, when statements may not work well if
time stops advancing e.g. due to lack of input sources, so try to
workaround by reading a trace file in unit test.
---
 .../comm.master_store/{out => master.out}     |  0
 testing/btest/comm/clone_store.bro            | 31 ++++++---
 testing/btest/comm/master_store.bro           | 65 +++++++++++++++----
 3 files changed, 73 insertions(+), 23 deletions(-)
 rename testing/btest/Baseline/comm.master_store/{out => master.out} (100%)

diff --git a/testing/btest/Baseline/comm.master_store/out b/testing/btest/Baseline/comm.master_store/master.out
similarity index 100%
rename from testing/btest/Baseline/comm.master_store/out
rename to testing/btest/Baseline/comm.master_store/master.out
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index b4ddabc1e4..fbf6b82443 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -1,8 +1,8 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
+# @TEST-EXEC: btest-bg-run clone "bro -b -r $TRACES/wikipedia.trace ../clone.bro broker_port=$BROKER_PORT >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b -r $TRACES/wikipedia.trace ../master.bro broker_port=$BROKER_PORT >master.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
@@ -17,6 +17,8 @@ global h: opaque of Store::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
+global query_timeout = 15sec;
+
 function do_lookup(key: string)
 	{
 	when ( local res = Store::lookup(h, Comm::data(key)) )
@@ -27,8 +29,11 @@ function do_lookup(key: string)
 		if ( key_count == expected_key_count )
 			terminate();
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "clone lookup query timeout";
+		terminate();
+		}
 	}
 
 event ready()
@@ -43,8 +48,11 @@ event ready()
 		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
 		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "clone keys query timeout";
+		terminate();
+		}
 	}
 
 event bro_init()
@@ -58,6 +66,8 @@ event bro_init()
 
 @TEST-START-FILE master.bro
 
+global query_timeout = 15sec;
+
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
@@ -98,15 +108,18 @@ event Comm::outgoing_connection_established(peer_address: string,
 
 	when ( local res = Store::size(h) )
 		{ event ready(); }
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "master size query timeout";
+		terminate();
+		}
 	}
 
 event bro_init()
 	{
 	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1secs);
 	Comm::auto_event("bro/event/ready", ready);
+	Comm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/comm/master_store.bro b/testing/btest/comm/master_store.bro
index 61331bd170..bf1919a510 100644
--- a/testing/btest/comm/master_store.bro
+++ b/testing/btest/comm/master_store.bro
@@ -1,7 +1,8 @@
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: bro -b %INPUT >out
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
+# @TEST-EXEC: btest-bg-run master "bro -b -r $TRACES/wikipedia.trace %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
 
 redef exit_only_after_terminate = T;
 
@@ -15,6 +16,8 @@ const pop_expect_count = 2;
 
 global test_size: event(where: string &default = "");
 
+global query_timeout = 5sec;
+
 event test_clear()
 	{
 	Store::clear(h);
@@ -36,8 +39,15 @@ event test_size(where: string)
 			terminate();
 			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "'size' query timeout";
+
+		if ( where == "" )
+			event test_clear();
+		else
+			terminate();
+		}
 	}
 
 event test_keys()
@@ -47,8 +57,11 @@ event test_keys()
 		print fmt("keys: %s", res);
 		event test_size();
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "'keys' query timeout";
+		event test_size();
+		}
 	}
 
 event test_pop(key: string)
@@ -61,8 +74,14 @@ event test_pop(key: string)
 		if ( pop_count == pop_expect_count )
 			event test_keys();
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "'pop_left' timeout";
+		++pop_count;
+
+		if ( pop_count == pop_expect_count )
+			event test_keys();
+		}
 
 	when ( local rres = Store::pop_right(h, Comm::data(key)) )
 		{
@@ -72,8 +91,14 @@ event test_pop(key: string)
 		if ( pop_count == pop_expect_count )
 			event test_keys();
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "'pop_right' timeout";
+		++pop_count;
+
+		if ( pop_count == pop_expect_count )
+			event test_keys();
+		}
 	}
 
 function do_exists(key: string)
@@ -86,8 +111,14 @@ function do_exists(key: string)
 		if ( exists_count == exists_expect_count )
 			event test_pop("myvec");
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "'exists' query timeout";
+		++exists_count;
+
+		if ( exists_count == exists_expect_count )
+			event test_pop("myvec");
+		}
 	}
 
 event test_erase()
@@ -109,8 +140,14 @@ function do_lookup(key: string)
 		if ( lookup_count == lookup_expect_count )
 			event test_erase();
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	timeout query_timeout
+		{
+		print "'lookup' query timeout";
+		++lookup_count;
+
+		if ( lookup_count == lookup_expect_count )
+			event test_erase();
+		}
 	}
 
 function dv(d: Comm::Data): Comm::DataVector

From 69693663ebd148a63d373673aec18bbb96ebec58 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 5 Mar 2015 11:53:50 -0600
Subject: [PATCH 090/109] Disable a stream's remote logging via broker if it
 fails.

If there's something invalid about the stream like trying to log an
unsupported data type, don't keep trying to send remote logs.
---
 src/logging/Manager.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index d6d7fbb908..e27db29a79 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -844,7 +844,8 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 
 #ifdef ENABLE_BROKER
 	if ( stream->enable_remote )
-		comm_mgr->Log(id, columns, stream->remote_flags);
+		if ( ! comm_mgr->Log(id, columns, stream->remote_flags) )
+			stream->enable_remote = false;
 #endif
 
 	Unref(columns);

From 25a4d0ebed7b2e97b27bc993190786e2d2701bfc Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 5 Mar 2015 14:07:06 -0600
Subject: [PATCH 091/109] Improve remote logging via broker.

Only send fields with the &log attribute.
---
 src/comm/Data.cc                              | 20 ++++++----
 src/comm/Data.h                               |  4 +-
 src/comm/Manager.cc                           | 40 ++++++++++++++-----
 src/comm/Manager.h                            |  4 +-
 src/logging/Manager.cc                        |  4 +-
 .../Baseline/comm.remote_log/recv.recv.out    | 12 +++---
 testing/btest/comm/remote_log.test            |  1 +
 7 files changed, 59 insertions(+), 26 deletions(-)

diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index 46fc8bc8eb..ad1d6ed647 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -45,6 +45,7 @@ struct val_converter {
 	using result_type = Val*;
 
 	BroType* type;
+	bool require_log_attr;
 
 	result_type operator()(bool a)
 		{
@@ -316,14 +317,19 @@ struct val_converter {
 			return nullptr;
 
 		auto rt = type->AsRecordType();
-
-		if ( a.fields.size() != static_cast<size_t>(rt->NumFields()) )
-			return nullptr;
-
 		auto rval = new RecordVal(rt);
 
-		for ( auto i = 0u; i < a.fields.size(); ++i )
+		for ( auto i = 0; i < rt->NumFields(); ++i )
 			{
+			if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
+				continue;
+
+			if ( i >= a.fields.size() )
+				{
+				Unref(rval);
+				return nullptr;
+				}
+
 			if ( ! a.fields[i] )
 				{
 				rval->Assign(i, nullptr);
@@ -346,9 +352,9 @@ struct val_converter {
 		}
 };
 
-Val* comm::data_to_val(broker::data d, BroType* type)
+Val* comm::data_to_val(broker::data d, BroType* type, bool require_log_attr)
 	{
-	return broker::visit(val_converter{type}, d);
+	return broker::visit(val_converter{type, require_log_attr}, d);
 	}
 
 broker::util::optional<broker::data> comm::val_to_data(Val* v)
diff --git a/src/comm/Data.h b/src/comm/Data.h
index ef7b15110d..cacab3b430 100644
--- a/src/comm/Data.h
+++ b/src/comm/Data.h
@@ -54,10 +54,12 @@ broker::util::optional<broker::data> val_to_data(Val* v);
  * Convert a Broker data value to a Bro value.
  * @param d a Broker data value.
  * @param type the expected type of the value to return.
+ * @param require_log_attr if true, skip over record fields that don't have the
+ * &log attribute.
  * @return a pointer to a new Bro value or a nullptr if the conversion was not
  * possible.
  */
-Val* data_to_val(broker::data d, BroType* type);
+Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false);
 
 /**
  * A Bro value which wraps a Broker data value.
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index 420f67f711..b1eb27ce16 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -193,7 +193,8 @@ bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
 	return true;
 	}
 
-bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, int flags)
+bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
+                        int flags)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -207,17 +208,38 @@ bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, int flags)
 		return false;
 		}
 
-	auto opt_column_data = val_to_data(columns);
+	broker::record column_data;
 
-	if ( ! opt_column_data )
+	for ( auto i = 0u; i < info->NumFields(); ++i )
 		{
-		reporter->Error("Failed to remotely log stream %s: unsupported types",
-		                stream_name);
-		return false;
+		if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) )
+			continue;
+
+		auto field_val = columns->LookupWithDefault(i);
+
+		if ( ! field_val )
+			{
+			column_data.fields.emplace_back(broker::record::field{});
+			continue;
+			}
+
+		auto opt_field_data = val_to_data(field_val);
+		Unref(field_val);
+
+		if ( ! opt_field_data )
+			{
+			reporter->Error("Failed to remotely log stream %s: "
+			                "unsupported type '%s'",
+			                stream_name,
+			                type_name(info->FieldDecl(i)->type->Tag()));
+			return false;
+			}
+
+		column_data.fields.emplace_back(
+		            broker::record::field{move(*opt_field_data)});
 		}
 
-	broker::message msg{broker::enum_value{stream_name},
-		                move(*opt_column_data)};
+	broker::message msg{broker::enum_value{stream_name}, move(column_data)};
 	std::string topic = std::string("bro/log/") + stream_name;
 	endpoint->send(move(topic), move(msg), flags);
 	return true;
@@ -837,7 +859,7 @@ void comm::Manager::Process()
 				continue;
 				}
 
-			auto columns = data_to_val(move(lm[1]), columns_type);
+			auto columns = data_to_val(move(lm[1]), columns_type, true);
 
 			if ( ! columns )
 				{
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 0093c0bd90..093d2da4d5 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -153,11 +153,13 @@ public:
 	 * implicitly "bro/log/<stream-name>".
 	 * @param stream_id the stream to which the log entry belongs.
 	 * @param columns the data which comprises the log entry.
+	 * @param info the record type corresponding to the log's columns.
 	 * @param flags tune the behavior of how the message is send.
 	 * See the Comm::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Log(EnumVal* stream_id, RecordVal* columns, int flags);
+	bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info,
+	         int flags);
 
 	/**
 	 * Automatically send an event to any interested peers whenever it is
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index e27db29a79..34a8de26ed 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -843,8 +843,8 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 		}
 
 #ifdef ENABLE_BROKER
-	if ( stream->enable_remote )
-		if ( ! comm_mgr->Log(id, columns, stream->remote_flags) )
+	if ( stream->enable_remote &&
+	     ! comm_mgr->Log(id, columns, stream->columns, stream->remote_flags) )
 			stream->enable_remote = false;
 #endif
 
diff --git a/testing/btest/Baseline/comm.remote_log/recv.recv.out b/testing/btest/Baseline/comm.remote_log/recv.recv.out
index 3e0957442d..ef9cb8402d 100644
--- a/testing/btest/Baseline/comm.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/comm.remote_log/recv.recv.out
@@ -1,6 +1,6 @@
-wrote log, [msg=ping, num=0]
-wrote log, [msg=ping, num=1]
-wrote log, [msg=ping, num=2]
-wrote log, [msg=ping, num=3]
-wrote log, [msg=ping, num=4]
-wrote log, [msg=ping, num=5]
+wrote log, [msg=ping, num=0, nolog=no]
+wrote log, [msg=ping, num=1, nolog=no]
+wrote log, [msg=ping, num=2, nolog=no]
+wrote log, [msg=ping, num=3, nolog=no]
+wrote log, [msg=ping, num=4, nolog=no]
+wrote log, [msg=ping, num=5, nolog=no]
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index 060a822c5a..dbd30e5b0b 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -20,6 +20,7 @@ export {
 	type Info: record {
 		msg: string &log;
 		num: count &log;
+		nolog: string &default="no";
 	};
 
 	global log_test: event(rec: Test::Info);

From fa08083a92307b35ecf5d01b396661a83674b6bd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 5 Mar 2015 16:20:51 -0600
Subject: [PATCH 092/109] Rename broker-related namespaces.

c++ namespace "comm" -> bro_broker
script module "Comm" -> BrokerComm
script module "Store" -> BrokerStore
---
 doc/frameworks/comm.rst                       |  50 +--
 doc/frameworks/comm/connecting-connector.bro  |  10 +-
 doc/frameworks/comm/connecting-listener.bro   |  14 +-
 doc/frameworks/comm/events-connector.bro      |  20 +-
 doc/frameworks/comm/events-listener.bro       |  12 +-
 doc/frameworks/comm/logs-connector.bro        |  14 +-
 doc/frameworks/comm/logs-listener.bro         |  12 +-
 doc/frameworks/comm/printing-connector.bro    |  18 +-
 doc/frameworks/comm/printing-listener.bro     |  14 +-
 doc/frameworks/comm/stores-connector.bro      |  40 +--
 doc/frameworks/comm/stores-listener.bro       |  22 +-
 doc/frameworks/comm/testlog.bro               |   2 +-
 scripts/base/frameworks/comm/main.bro         |  20 +-
 src/EventHandler.cc                           |   6 +-
 src/Net.cc                                    |   2 +-
 src/Stats.cc                                  |   2 +-
 src/comm/Data.cc                              | 118 +++----
 src/comm/Data.h                               |  36 +-
 src/comm/Manager.cc                           | 156 ++++-----
 src/comm/Manager.h                            |  54 +--
 src/comm/Store.cc                             |  28 +-
 src/comm/Store.h                              |  32 +-
 src/comm/comm.bif                             |  82 ++---
 src/comm/data.bif                             | 318 +++++++++---------
 src/comm/messaging.bif                        |  80 ++---
 src/comm/store.bif                            | 242 ++++++-------
 src/logging/Manager.cc                        |   2 +-
 src/main.cc                                   |   4 +-
 .../Baseline/comm.clone_store/clone.clone.out |  10 +-
 .../comm.connection_updates/recv.recv.out     |   4 +-
 .../comm.connection_updates/send.send.out     |   2 +-
 testing/btest/Baseline/comm.data/out          |  32 +-
 .../Baseline/comm.master_store/master.out     |  28 +-
 .../Baseline/comm.remote_event/send.send.out  |   2 +-
 .../Baseline/comm.remote_log/send.send.out    |   2 +-
 .../Baseline/comm.remote_print/send.send.out  |   2 +-
 .../output                                    |  10 +-
 .../output                                    |  14 +-
 .../output                                    |  20 +-
 .../output                                    |  12 +-
 .../output                                    |  14 +-
 .../output                                    |  12 +-
 .../output                                    |  18 +-
 .../output                                    |  14 +-
 .../output                                    |  40 +--
 .../output                                    |  22 +-
 .../output                                    |   2 +-
 testing/btest/comm/clone_store.bro            |  62 ++--
 testing/btest/comm/connection_updates.bro     |  24 +-
 testing/btest/comm/data.bro                   | 228 ++++++-------
 testing/btest/comm/master_store.bro           |  46 +--
 testing/btest/comm/remote_event.test          |  32 +-
 testing/btest/comm/remote_log.test            |  16 +-
 testing/btest/comm/remote_print.test          |  28 +-
 ...eworks_comm_connecting-connector_bro.btest |  10 +-
 ...meworks_comm_connecting-listener_bro.btest |  14 +-
 ...frameworks_comm_events-connector_bro.btest |  20 +-
 ..._frameworks_comm_events-listener_bro.btest |  12 +-
 ...c_frameworks_comm_logs-connector_bro.btest |  14 +-
 ...oc_frameworks_comm_logs-listener_bro.btest |  12 +-
 ...ameworks_comm_printing-connector_bro.btest |  18 +-
 ...rameworks_comm_printing-listener_bro.btest |  14 +-
 ...frameworks_comm_stores-connector_bro.btest |  40 +--
 ..._frameworks_comm_stores-listener_bro.btest |  22 +-
 ...lude-doc_frameworks_comm_testlog_bro.btest |   2 +-
 65 files changed, 1142 insertions(+), 1142 deletions(-)

diff --git a/doc/frameworks/comm.rst b/doc/frameworks/comm.rst
index 38f1f5b644..0c0dd80845 100644
--- a/doc/frameworks/comm.rst
+++ b/doc/frameworks/comm.rst
@@ -20,20 +20,20 @@ Connecting to Peers
 ===================
 
 Communication via Broker must first be turned on via
-:bro:see:`Comm::enable`.
+:bro:see:`BrokerComm::enable`.
 
-Bro can accept incoming connections by calling :bro:see:`Comm::listen`
+Bro can accept incoming connections by calling :bro:see:`BrokerComm::listen`
 and then monitor connection status updates via
-:bro:see:`Comm::incoming_connection_established` and
-:bro:see:`Comm::incoming_connection_broken`.
+:bro:see:`BrokerComm::incoming_connection_established` and
+:bro:see:`BrokerComm::incoming_connection_broken`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-listener.bro
 
-Bro can initiate outgoing connections by calling :bro:see:`Comm::connect`
+Bro can initiate outgoing connections by calling :bro:see:`BrokerComm::connect`
 and then monitor connection status updates via
-:bro:see:`Comm::outgoing_connection_established`,
-:bro:see:`Comm::outgoing_connection_broken`, and
-:bro:see:`Comm::outgoing_connection_incompatible`.
+:bro:see:`BrokerComm::outgoing_connection_established`,
+:bro:see:`BrokerComm::outgoing_connection_broken`, and
+:bro:see:`BrokerComm::outgoing_connection_incompatible`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-connector.bro
 
@@ -41,14 +41,14 @@ Remote Printing
 ===============
 
 To receive remote print messages, first use
-:bro:see:`Comm::subscribe_to_prints` to advertise to peers a topic
+:bro:see:`BrokerComm::subscribe_to_prints` to advertise to peers a topic
 prefix of interest and then create an event handler for
-:bro:see:`Comm::print_handler` to handle any print messages that are
+:bro:see:`BrokerComm::print_handler` to handle any print messages that are
 received.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-listener.bro
 
-To send remote print messages, just call :bro:see:`Comm::print`.
+To send remote print messages, just call :bro:see:`BrokerComm::print`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-connector.bro
 
@@ -72,14 +72,14 @@ Remote Events
 =============
 
 Receiving remote events is similar to remote prints.  Just use
-:bro:see:`Comm::subscribe_to_events` and possibly define any new events
+:bro:see:`BrokerComm::subscribe_to_events` and possibly define any new events
 along with handlers that peers may want to send.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/events-listener.bro
 
 To send events, there are two choices.  The first is to use call
-:bro:see:`Comm::event` directly.  The second option is to use
-:bro:see:`Comm::auto_event` to make it so a particular event is
+:bro:see:`BrokerComm::event` directly.  The second option is to use
+:bro:see:`BrokerComm::auto_event` to make it so a particular event is
 automatically sent to peers whenever it is called locally via the normal
 event invocation syntax.
 
@@ -107,14 +107,14 @@ Remote Logging
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/testlog.bro
 
-Use :bro:see:`Comm::subscribe_to_logs` to advertise interest in logs
+Use :bro:see:`BrokerComm::subscribe_to_logs` to advertise interest in logs
 written by peers.  The topic names that Bro uses are implicitly of the
 form "bro/log/<stream-name>".
 
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-listener.bro
 
 To send remote logs either use :bro:see:`Log::enable_remote_logging` or
-:bro:see:`Comm::enable_remote_logs`.  The former allows any log stream
+:bro:see:`BrokerComm::enable_remote_logs`.  The former allows any log stream
 to be sent to peers while the later toggles remote logging for
 particular streams.
 
@@ -140,23 +140,23 @@ Tuning Access Control
 By default, endpoints do not restrict the message topics that it sends
 to peers and do not restrict what message topics and data store
 identifiers get advertised to peers.  These are the default
-:bro:see:`Comm::EndpointFlags` supplied to :bro:see:`Comm::enable`.
+:bro:see:`BrokerComm::EndpointFlags` supplied to :bro:see:`BrokerComm::enable`.
 
 If not using the ``auto_publish`` flag, one can use the
-:bro:see:`Comm::publish_topic` and :bro:see:`Comm::unpublish_topic`
+:bro:see:`BrokerComm::publish_topic` and :bro:see:`BrokerComm::unpublish_topic`
 functions to manipulate the set of message topics (must match exactly)
 that are allowed to be sent to peer endpoints.  These settings take
 precedence over the per-message ``peers`` flag supplied to functions
-that take a :bro:see:`Comm::SendFlags` such as :bro:see:`Comm::print`,
-:bro:see:`Comm::event`, :bro:see:`Comm::auto_event` or
-:bro:see:`Comm::enable_remote_logs`.
+that take a :bro:see:`BrokerComm::SendFlags` such as :bro:see:`BrokerComm::print`,
+:bro:see:`BrokerComm::event`, :bro:see:`BrokerComm::auto_event` or
+:bro:see:`BrokerComm::enable_remote_logs`.
 
 If not using the ``auto_advertise`` flag, one can use the
-:bro:see:`Comm::advertise_topic` and :bro:see:`Comm::unadvertise_topic`
+:bro:see:`BrokerComm::advertise_topic` and :bro:see:`BrokerComm::unadvertise_topic`
 to manupulate the set of topic prefixes that are allowed to be
 advertised to peers.  If an endpoint does not advertise a topic prefix,
 the only way a peers can send messages to it is via the ``unsolicited``
-flag of :bro:see:`Comm::SendFlags`  and choosing a topic with a matching
+flag of :bro:see:`BrokerComm::SendFlags`  and choosing a topic with a matching
 prefix (i.e. full topic may be longer than receivers prefix, just the
 prefix needs to match).
 
@@ -194,8 +194,8 @@ last modification time.
 .. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-connector.bro
 
 In the above example, if a local copy of the store contents isn't
-needed, just replace the :bro:see:`Store::create_clone` call with
-:bro:see:`Store::create_frontend`.  Queries will then be made against
+needed, just replace the :bro:see:`BrokerStore::create_clone` call with
+:bro:see:`BrokerStore::create_frontend`.  Queries will then be made against
 the remote master store instead of the local clone.
 
 Note that all queries are made within Bro's asynchrounous ``when``
diff --git a/doc/frameworks/comm/connecting-connector.bro b/doc/frameworks/comm/connecting-connector.bro
index d5b191ad38..017f88f214 100644
--- a/doc/frameworks/comm/connecting-connector.bro
+++ b/doc/frameworks/comm/connecting-connector.bro
@@ -1,19 +1,19 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 		  peer_address, peer_port, peer_name;
 	terminate();
 	}
diff --git a/doc/frameworks/comm/connecting-listener.bro b/doc/frameworks/comm/connecting-listener.bro
index 4e5c3ad86f..2732bed760 100644
--- a/doc/frameworks/comm/connecting-listener.bro
+++ b/doc/frameworks/comm/connecting-listener.bro
@@ -1,21 +1,21 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
-event Comm::incoming_connection_broken(peer_name: string)
+event BrokerComm::incoming_connection_broken(peer_name: string)
 	{
-	print "Comm::incoming_connection_broken", peer_name;
+	print "BrokerComm::incoming_connection_broken", peer_name;
 	terminate();
 	}
diff --git a/doc/frameworks/comm/events-connector.bro b/doc/frameworks/comm/events-connector.bro
index 28a94f356e..fc0e48769b 100644
--- a/doc/frameworks/comm/events-connector.bro
+++ b/doc/frameworks/comm/events-connector.bro
@@ -1,30 +1,30 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
-	Comm::auto_event("bro/event/my_auto_event", my_auto_event);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2));
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/doc/frameworks/comm/events-listener.bro b/doc/frameworks/comm/events-listener.bro
index 4d8985d09a..09a99b7c97 100644
--- a/doc/frameworks/comm/events-listener.bro
+++ b/doc/frameworks/comm/events-listener.bro
@@ -1,21 +1,21 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/doc/frameworks/comm/logs-connector.bro b/doc/frameworks/comm/logs-connector.bro
index 2c02acb188..cdd50b7140 100644
--- a/doc/frameworks/comm/logs-connector.bro
+++ b/doc/frameworks/comm/logs-connector.bro
@@ -2,16 +2,16 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 redef Log::enable_local_logging = F;
 redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::enable_remote_logs(Test::LOG);
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event do_write()
@@ -24,16 +24,16 @@ event do_write()
 	event do_write();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
 	event do_write();
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/doc/frameworks/comm/logs-listener.bro b/doc/frameworks/comm/logs-listener.bro
index 5f763be7ee..788d459cc8 100644
--- a/doc/frameworks/comm/logs-listener.bro
+++ b/doc/frameworks/comm/logs-listener.bro
@@ -2,18 +2,18 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_logs("bro/log/Test::LOG");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_logs("bro/log/Test::LOG");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/doc/frameworks/comm/printing-connector.bro b/doc/frameworks/comm/printing-connector.bro
index 76567dbb97..9135f8f4c4 100644
--- a/doc/frameworks/comm/printing-connector.bro
+++ b/doc/frameworks/comm/printing-connector.bro
@@ -1,25 +1,25 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Comm::print("bro/print/hi", "hello");
-	Comm::print("bro/print/stuff", "...");
-	Comm::print("bro/print/bye", "goodbye");
+	BrokerComm::print("bro/print/hi", "hello");
+	BrokerComm::print("bro/print/stuff", "...");
+	BrokerComm::print("bro/print/bye", "goodbye");
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/doc/frameworks/comm/printing-listener.bro b/doc/frameworks/comm/printing-listener.bro
index 9bd3844502..12abf9131e 100644
--- a/doc/frameworks/comm/printing-listener.bro
+++ b/doc/frameworks/comm/printing-listener.bro
@@ -1,22 +1,22 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 global msg_count = 0;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_prints("bro/print/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_prints("bro/print/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++msg_count;
 	print "got print message", msg;
diff --git a/doc/frameworks/comm/stores-connector.bro b/doc/frameworks/comm/stores-connector.bro
index 61e863e835..82fb54dcdb 100644
--- a/doc/frameworks/comm/stores-connector.bro
+++ b/doc/frameworks/comm/stores-connector.bro
@@ -1,42 +1,42 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Store::create_master("mystore");
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	h = BrokerStore::create_master("mystore");
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{
 		print "master size", res;
 		event ready();
@@ -47,7 +47,7 @@ event Comm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1secs);
-	Comm::auto_event("bro/event/ready", ready);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::auto_event("bro/event/ready", ready);
 	}
diff --git a/doc/frameworks/comm/stores-listener.bro b/doc/frameworks/comm/stores-listener.bro
index 89384c2e9d..0a8dc85e13 100644
--- a/doc/frameworks/comm/stores-listener.bro
+++ b/doc/frameworks/comm/stores-listener.bro
@@ -1,13 +1,13 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -21,15 +21,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = Store::create_clone("mystore");
+	h = BrokerStore::create_clone("mystore");
 
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -37,7 +37,7 @@ event ready()
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/ready");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/ready");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
diff --git a/doc/frameworks/comm/testlog.bro b/doc/frameworks/comm/testlog.bro
index b5f449ae3d..9c04218e85 100644
--- a/doc/frameworks/comm/testlog.bro
+++ b/doc/frameworks/comm/testlog.bro
@@ -14,6 +14,6 @@ export {
 
 event bro_init() &priority=5
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro
index d0f58f585a..e8b57d57d9 100644
--- a/scripts/base/frameworks/comm/main.bro
+++ b/scripts/base/frameworks/comm/main.bro
@@ -1,11 +1,11 @@
 ##! Various data structure definitions for use with Bro's communication system.
 
-module Comm;
+module BrokerComm;
 
 export {
 
 	## A name used to identify this endpoint to peers.
-	## .. bro:see:: Comm::connect Comm::listen
+	## .. bro:see:: BrokerComm::connect BrokerComm::listen
 	const endpoint_name = "" &redef;
 
 	## Change communication behavior.
@@ -32,11 +32,11 @@ export {
 
 	## Opaque communication data.
 	type Data: record {
-		d: opaque of Comm::Data &optional;
+		d: opaque of BrokerComm::Data &optional;
 	};
 
 	## Opaque communication data.
-	type DataVector: vector of Comm::Data;
+	type DataVector: vector of BrokerComm::Data;
 
 	## Opaque event communication data.
 	type EventArgs: record {
@@ -48,13 +48,13 @@ export {
 
 	## Opaque communication data used as a convenient way to wrap key-value
 	## pairs that comprise table entries.
-	type Comm::TableItem : record {
-		key: Comm::Data;
-		val: Comm::Data;
+	type TableItem : record {
+		key: BrokerComm::Data;
+		val: BrokerComm::Data;
 	};
 }
 
-module Store;
+module BrokerStore;
 
 export {
 
@@ -76,11 +76,11 @@ export {
 	## The result of a data store query.
 	type QueryResult: record {
 		## Whether the query completed or not.
-		status: Store::QueryStatus;
+		status: BrokerStore::QueryStatus;
 		## The result of the query.  Certain queries may use a particular
 		## data type (e.g. querying store size always returns a count, but
 		## a lookup may return various data types).
-		result: Comm::Data;
+		result: BrokerComm::Data;
 	};
 
 	## Options to tune the SQLite storage backend.
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index f063026d9a..2874c56c03 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -96,7 +96,7 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 
 			for ( auto i = 0; i < vl->length(); ++i )
 				{
-				auto opt_data = comm::val_to_data((*vl)[i]);
+				auto opt_data = bro_broker::val_to_data((*vl)[i]);
 
 				if ( opt_data )
 					msg.emplace_back(move(*opt_data));
@@ -116,9 +116,9 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 				      it != auto_remote_send.end(); ++it )
 					{
 					if ( std::next(it) == auto_remote_send.end() )
-						comm_mgr->Event(it->first, move(msg), it->second);
+						broker_mgr->Event(it->first, move(msg), it->second);
 					else
-						comm_mgr->Event(it->first, msg, it->second);
+						broker_mgr->Event(it->first, msg, it->second);
 					}
 				}
 			}
diff --git a/src/Net.cc b/src/Net.cc
index 3acd4bce9d..820ccd2f76 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -322,7 +322,7 @@ void net_run()
 		bool communication_enabled = using_communication;
 
 #ifdef ENABLE_BROKER
-		communication_enabled |= comm_mgr->Enabled();
+		communication_enabled |= broker_mgr->Enabled();
 #endif
 
 		if ( src )
diff --git a/src/Stats.cc b/src/Stats.cc
index 111af52598..437fb6de4b 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -227,7 +227,7 @@ void ProfileLogger::Log()
 		}
 
 #ifdef ENABLE_BROKER
-	auto cs = comm_mgr->ConsumeStatistics();
+	auto cs = broker_mgr->ConsumeStatistics();
 
 	file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu "
 	                "store_queries=%zu store_responses=%zu "
diff --git a/src/comm/Data.cc b/src/comm/Data.cc
index ad1d6ed647..96377284d1 100644
--- a/src/comm/Data.cc
+++ b/src/comm/Data.cc
@@ -5,11 +5,11 @@
 
 using namespace std;
 
-OpaqueType* comm::opaque_of_data_type;
-OpaqueType* comm::opaque_of_set_iterator;
-OpaqueType* comm::opaque_of_table_iterator;
-OpaqueType* comm::opaque_of_vector_iterator;
-OpaqueType* comm::opaque_of_record_iterator;
+OpaqueType* bro_broker::opaque_of_data_type;
+OpaqueType* bro_broker::opaque_of_set_iterator;
+OpaqueType* bro_broker::opaque_of_table_iterator;
+OpaqueType* bro_broker::opaque_of_vector_iterator;
+OpaqueType* bro_broker::opaque_of_record_iterator;
 
 static broker::port::protocol to_broker_port_proto(TransportProto tp)
 	{
@@ -26,7 +26,7 @@ static broker::port::protocol to_broker_port_proto(TransportProto tp)
 	}
 	}
 
-TransportProto comm::to_bro_port_proto(broker::port::protocol tp)
+TransportProto bro_broker::to_bro_port_proto(broker::port::protocol tp)
 	{
 	switch ( tp ) {
 	case broker::port::protocol::tcp:
@@ -135,7 +135,7 @@ struct val_converter {
 	result_type operator()(broker::port& a)
 		{
 		if ( type->Tag() == TYPE_PORT )
-			return new PortVal(a.number(), comm::to_bro_port_proto(a.type()));
+			return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
 
 		return nullptr;
 		}
@@ -204,8 +204,8 @@ struct val_converter {
 
 			for ( auto i = 0u; i < indices->size(); ++i )
 				{
-				auto index_val = comm::data_to_val(move((*indices)[i]),
-				                                   (*expected_index_types)[i]);
+				auto index_val = bro_broker::data_to_val(move((*indices)[i]),
+				                                         (*expected_index_types)[i]);
 
 				if ( ! index_val )
 					{
@@ -257,8 +257,8 @@ struct val_converter {
 
 			for ( auto i = 0u; i < indices->size(); ++i )
 				{
-				auto index_val = comm::data_to_val(move((*indices)[i]),
-				                                   (*expected_index_types)[i]);
+				auto index_val = bro_broker::data_to_val(move((*indices)[i]),
+				                                         (*expected_index_types)[i]);
 
 				if ( ! index_val )
 					{
@@ -270,8 +270,8 @@ struct val_converter {
 				list_val->Append(index_val);
 				}
 
-			auto value_val = comm::data_to_val(move(item.second),
-			                                   tt->YieldType());
+			auto value_val = bro_broker::data_to_val(move(item.second),
+			                                         tt->YieldType());
 
 			if ( ! value_val )
 				{
@@ -297,7 +297,7 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
-			auto item_val = comm::data_to_val(move(item), vt->YieldType());
+			auto item_val = bro_broker::data_to_val(move(item), vt->YieldType());
 
 			if ( ! item_val )
 				{
@@ -336,8 +336,8 @@ struct val_converter {
 				continue;
 				}
 
-			auto item_val = comm::data_to_val(move(*a.fields[i]),
-			                                  rt->FieldType(i));
+			auto item_val = bro_broker::data_to_val(move(*a.fields[i]),
+			                                        rt->FieldType(i));
 
 			if ( ! item_val )
 				{
@@ -352,12 +352,12 @@ struct val_converter {
 		}
 };
 
-Val* comm::data_to_val(broker::data d, BroType* type, bool require_log_attr)
+Val* bro_broker::data_to_val(broker::data d, BroType* type, bool require_log_attr)
 	{
 	return broker::visit(val_converter{type, require_log_attr}, d);
 	}
 
-broker::util::optional<broker::data> comm::val_to_data(Val* v)
+broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 	{
 	switch ( v->Type()->Tag() ) {
 	case TYPE_BOOL:
@@ -539,7 +539,7 @@ broker::util::optional<broker::data> comm::val_to_data(Val* v)
 		return {rval};
 		}
 	default:
-		reporter->Error("unsupported Comm::Data type: %s",
+		reporter->Error("unsupported BrokerComm::Data type: %s",
 		                type_name(v->Type()->Tag()));
 		break;
 	}
@@ -547,9 +547,9 @@ broker::util::optional<broker::data> comm::val_to_data(Val* v)
 	return {};
 	}
 
-RecordVal* comm::make_data_val(Val* v)
+RecordVal* bro_broker::make_data_val(Val* v)
 	{
-	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
 	auto data = val_to_data(v);
 
 	if ( data )
@@ -558,9 +558,9 @@ RecordVal* comm::make_data_val(Val* v)
 	return rval;
 	}
 
-RecordVal* comm::make_data_val(broker::data d)
+RecordVal* bro_broker::make_data_val(broker::data d)
 	{
-	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
 	rval->Assign(0, new DataVal(move(d)));
 	return rval;
 	}
@@ -570,114 +570,114 @@ struct data_type_getter {
 
 	result_type operator()(bool a)
 		{
-		return new EnumVal(BifEnum::Comm::BOOL,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::BOOL,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(uint64_t a)
 		{
-		return new EnumVal(BifEnum::Comm::COUNT,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::COUNT,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(int64_t a)
 		{
-		return new EnumVal(BifEnum::Comm::INT,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::INT,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(double a)
 		{
-		return new EnumVal(BifEnum::Comm::DOUBLE,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::DOUBLE,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const std::string& a)
 		{
-		return new EnumVal(BifEnum::Comm::STRING,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::STRING,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::address& a)
 		{
-		return new EnumVal(BifEnum::Comm::ADDR,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::ADDR,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::subnet& a)
 		{
-		return new EnumVal(BifEnum::Comm::SUBNET,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::SUBNET,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::port& a)
 		{
-		return new EnumVal(BifEnum::Comm::PORT,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::PORT,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::time_point& a)
 		{
-		return new EnumVal(BifEnum::Comm::TIME,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::TIME,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::time_duration& a)
 		{
-		return new EnumVal(BifEnum::Comm::INTERVAL,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::INTERVAL,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::enum_value& a)
 		{
-		return new EnumVal(BifEnum::Comm::ENUM,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::ENUM,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::set& a)
 		{
-		return new EnumVal(BifEnum::Comm::SET,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::SET,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::table& a)
 		{
-		return new EnumVal(BifEnum::Comm::TABLE,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::TABLE,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::vector& a)
 		{
-		return new EnumVal(BifEnum::Comm::VECTOR,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::VECTOR,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 
 	result_type operator()(const broker::record& a)
 		{
-		return new EnumVal(BifEnum::Comm::RECORD,
-		                   BifType::Enum::Comm::DataType);
+		return new EnumVal(BifEnum::BrokerComm::RECORD,
+		                   BifType::Enum::BrokerComm::DataType);
 		}
 };
 
-EnumVal* comm::get_data_type(RecordVal* v, Frame* frame)
+EnumVal* bro_broker::get_data_type(RecordVal* v, Frame* frame)
 	{
 	return broker::visit(data_type_getter{}, opaque_field_to_data(v, frame));
 	}
 
-broker::data& comm::opaque_field_to_data(RecordVal* v, Frame* f)
+broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
 	{
 	Val* d = v->Lookup(0);
 
 	if ( ! d )
 		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
-		                       "Comm::Data's opaque field is not set");
+		                       "BrokerComm::Data's opaque field is not set");
 
 	return static_cast<DataVal*>(d)->data;
 	}
 
-IMPLEMENT_SERIAL(comm::DataVal, SER_COMM_DATA_VAL);
+IMPLEMENT_SERIAL(bro_broker::DataVal, SER_COMM_DATA_VAL);
 
-bool comm::DataVal::DoSerialize(SerialInfo* info) const
+bool bro_broker::DataVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_COMM_DATA_VAL, OpaqueVal);
 
@@ -691,7 +691,7 @@ bool comm::DataVal::DoSerialize(SerialInfo* info) const
 	return true;
 	}
 
-bool comm::DataVal::DoUnserialize(UnserialInfo* info)
+bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(OpaqueVal);
 
diff --git a/src/comm/Data.h b/src/comm/Data.h
index cacab3b430..84495056be 100644
--- a/src/comm/Data.h
+++ b/src/comm/Data.h
@@ -7,7 +7,7 @@
 #include "Frame.h"
 #include "Expr.h"
 
-namespace comm {
+namespace bro_broker {
 
 extern OpaqueType* opaque_of_data_type;
 extern OpaqueType* opaque_of_set_iterator;
@@ -21,25 +21,25 @@ extern OpaqueType* opaque_of_record_iterator;
 TransportProto to_bro_port_proto(broker::port::protocol tp);
 
 /**
- * Create a Comm::Data value from a Bro value.
+ * Create a BrokerComm::Data value from a Bro value.
  * @param v the Bro value to convert to a Broker data value.
- * @return a Comm::Data value, where the optional field is set if the conversion
+ * @return a BrokerComm::Data value, where the optional field is set if the conversion
  * was possible, else it is unset.
  */
 RecordVal* make_data_val(Val* v);
 
 /**
- * Create a Comm::Data value from a Broker data value.
+ * Create a BrokerComm::Data value from a Broker data value.
  * @param d the Broker value to wrap in an opaque type.
- * @return a Comm::Data value that wraps the Broker value.
+ * @return a BrokerComm::Data value that wraps the Broker value.
  */
 RecordVal* make_data_val(broker::data d);
 
 /**
- * Get the type of Broker data that Comm::Data wraps.
- * @param v a Comm::Data value.
+ * Get the type of Broker data that BrokerComm::Data wraps.
+ * @param v a BrokerComm::Data value.
  * @param frame used to get location info upon error.
- * @return a Comm::DataType value.
+ * @return a BrokerComm::DataType value.
  */
 EnumVal* get_data_type(RecordVal* v, Frame* frame);
 
@@ -68,7 +68,7 @@ class DataVal : public OpaqueVal {
 public:
 
 	DataVal(broker::data arg_data)
-		: OpaqueVal(comm::opaque_of_data_type), data(std::move(arg_data))
+		: OpaqueVal(bro_broker::opaque_of_data_type), data(std::move(arg_data))
 		{}
 
 	void ValDescribe(ODesc* d) const override
@@ -141,8 +141,8 @@ struct type_name_getter {
 };
 
 /**
- * Retrieve Broker data value associated with a Comm::Data Bro value.
- * @param v a Comm::Data value.
+ * Retrieve Broker data value associated with a BrokerComm::Data Bro value.
+ * @param v a BrokerComm::Data value.
  * @param f used to get location information on error.
  * @return a reference to the wrapped Broker data value.  A runtime interpreter
  * exception is thrown if the the optional opaque value of \a v is not set.
@@ -183,9 +183,9 @@ inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f)
 	}
 
 /**
- * Convert a Comm::Data Bro value to a Bro value of a given type.
+ * Convert a BrokerComm::Data Bro value to a Bro value of a given type.
  * @tparam a type that a Broker data variant may contain.
- * @param v a Comm::Data value.
+ * @param v a BrokerComm::Data value.
  * @param tag a Bro type to convert to.
  * @param f used to get location information on error.
  * A runtime interpret exception is thrown if trying to access a type which
@@ -203,7 +203,7 @@ class SetIterator : public OpaqueVal {
 public:
 
 	SetIterator(RecordVal* v, TypeTag tag, Frame* f)
-	    : OpaqueVal(comm::opaque_of_set_iterator),
+	    : OpaqueVal(bro_broker::opaque_of_set_iterator),
 	      dat(require_data_type<broker::set>(v, TYPE_TABLE, f)),
 	      it(dat.begin())
 		{}
@@ -216,7 +216,7 @@ class TableIterator : public OpaqueVal {
 public:
 
 	TableIterator(RecordVal* v, TypeTag tag, Frame* f)
-	    : OpaqueVal(comm::opaque_of_table_iterator),
+	    : OpaqueVal(bro_broker::opaque_of_table_iterator),
 	      dat(require_data_type<broker::table>(v, TYPE_TABLE, f)),
 	      it(dat.begin())
 		{}
@@ -229,7 +229,7 @@ class VectorIterator : public OpaqueVal {
 public:
 
 	VectorIterator(RecordVal* v, TypeTag tag, Frame* f)
-	    : OpaqueVal(comm::opaque_of_vector_iterator),
+	    : OpaqueVal(bro_broker::opaque_of_vector_iterator),
 	      dat(require_data_type<broker::vector>(v, TYPE_VECTOR, f)),
 	      it(dat.begin())
 		{}
@@ -242,7 +242,7 @@ class RecordIterator : public OpaqueVal {
 public:
 
 	RecordIterator(RecordVal* v, TypeTag tag, Frame* f)
-	    : OpaqueVal(comm::opaque_of_record_iterator),
+	    : OpaqueVal(bro_broker::opaque_of_record_iterator),
 	      dat(require_data_type<broker::record>(v, TYPE_VECTOR, f)),
 	      it(dat.fields.begin())
 		{}
@@ -251,6 +251,6 @@ public:
 	decltype(broker::record::fields)::iterator it;
 };
 
-} // namespace comm
+} // namespace bro_broker
 
 #endif // BRO_COMM_DATA_H
diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc
index b1eb27ce16..3eceba0096 100644
--- a/src/comm/Manager.cc
+++ b/src/comm/Manager.cc
@@ -18,13 +18,13 @@
 
 using namespace std;
 
-VectorType* comm::Manager::vector_of_data_type;
-EnumType* comm::Manager::log_id_type;
-int comm::Manager::send_flags_self_idx;
-int comm::Manager::send_flags_peers_idx;
-int comm::Manager::send_flags_unsolicited_idx;
+VectorType* bro_broker::Manager::vector_of_data_type;
+EnumType* bro_broker::Manager::log_id_type;
+int bro_broker::Manager::send_flags_self_idx;
+int bro_broker::Manager::send_flags_peers_idx;
+int bro_broker::Manager::send_flags_unsolicited_idx;
 
-comm::Manager::~Manager()
+bro_broker::Manager::~Manager()
 	{
 	for ( auto& s : data_stores )
 		CloseStore(s.first.first, s.first.second);
@@ -59,25 +59,25 @@ static int endpoint_flags_to_int(Val* broker_endpoint_flags)
 	return rval;
 	}
 
-bool comm::Manager::Enable(Val* broker_endpoint_flags)
+bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
 	{
 	if ( endpoint != nullptr )
 		return true;
 
-	auto send_flags_type = internal_type("Comm::SendFlags")->AsRecordType();
+	auto send_flags_type = internal_type("BrokerComm::SendFlags")->AsRecordType();
 	send_flags_self_idx = require_field(send_flags_type, "self");
 	send_flags_peers_idx = require_field(send_flags_type, "peers");
 	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
 
 	log_id_type = internal_type("Log::ID")->AsEnumType();
 
-	comm::opaque_of_data_type = new OpaqueType("Comm::Data");
-	comm::opaque_of_set_iterator = new OpaqueType("Comm::SetIterator");
-	comm::opaque_of_table_iterator = new OpaqueType("Comm::TableIterator");
-	comm::opaque_of_vector_iterator = new OpaqueType("Comm::VectorIterator");
-	comm::opaque_of_record_iterator = new OpaqueType("Comm::RecordIterator");
-	comm::opaque_of_store_handle = new OpaqueType("Store::Handle");
-	vector_of_data_type = new VectorType(internal_type("Comm::Data")->Ref());
+	bro_broker::opaque_of_data_type = new OpaqueType("BrokerComm::Data");
+	bro_broker::opaque_of_set_iterator = new OpaqueType("BrokerComm::SetIterator");
+	bro_broker::opaque_of_table_iterator = new OpaqueType("BrokerComm::TableIterator");
+	bro_broker::opaque_of_vector_iterator = new OpaqueType("BrokerComm::VectorIterator");
+	bro_broker::opaque_of_record_iterator = new OpaqueType("BrokerComm::RecordIterator");
+	bro_broker::opaque_of_store_handle = new OpaqueType("BrokerStore::Handle");
+	vector_of_data_type = new VectorType(internal_type("BrokerComm::Data")->Ref());
 
 	auto res = broker::init();
 
@@ -97,7 +97,7 @@ bool comm::Manager::Enable(Val* broker_endpoint_flags)
 		}
 
 	const char* name;
-	auto name_from_script = internal_val("Comm::endpoint_name")->AsString();
+	auto name_from_script = internal_val("BrokerComm::endpoint_name")->AsString();
 
 	if ( name_from_script->Len() )
 		name = name_from_script->CheckString();
@@ -117,7 +117,7 @@ bool comm::Manager::Enable(Val* broker_endpoint_flags)
 	return true;
 	}
 
-bool comm::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
+bool bro_broker::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -127,7 +127,7 @@ bool comm::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
 	return true;
 	}
 
-bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
+bool bro_broker::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -144,7 +144,7 @@ bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
 	return rval;
 	}
 
-bool comm::Manager::Connect(string addr, uint16_t port,
+bool bro_broker::Manager::Connect(string addr, uint16_t port,
                             chrono::duration<double> retry_interval)
 	{
 	if ( ! Enabled() )
@@ -159,7 +159,7 @@ bool comm::Manager::Connect(string addr, uint16_t port,
 	return true;
 	}
 
-bool comm::Manager::Disconnect(const string& addr, uint16_t port)
+bool bro_broker::Manager::Disconnect(const string& addr, uint16_t port)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -174,7 +174,7 @@ bool comm::Manager::Disconnect(const string& addr, uint16_t port)
 	return rval;
 	}
 
-bool comm::Manager::Print(string topic, string msg, Val* flags)
+bool bro_broker::Manager::Print(string topic, string msg, Val* flags)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -184,7 +184,7 @@ bool comm::Manager::Print(string topic, string msg, Val* flags)
 	return true;
 	}
 
-bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
+bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flags)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -193,7 +193,7 @@ bool comm::Manager::Event(std::string topic, broker::message msg, int flags)
 	return true;
 	}
 
-bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
+bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
                         int flags)
 	{
 	if ( ! Enabled() )
@@ -245,7 +245,7 @@ bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
 	return true;
 	}
 
-bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags)
+bool bro_broker::Manager::Event(std::string topic, RecordVal* args, Val* flags)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -270,14 +270,14 @@ bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags)
 	return true;
 	}
 
-bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
+bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 	{
 	if ( ! Enabled() )
 		return false;
 
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
-		reporter->Error("Comm::auto_event must operate on an event");
+		reporter->Error("BrokerComm::auto_event must operate on an event");
 		return false;
 		}
 
@@ -285,7 +285,7 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
 		{
-		reporter->Error("Comm::auto_event must operate on an event");
+		reporter->Error("BrokerComm::auto_event must operate on an event");
 		return false;
 		}
 
@@ -293,7 +293,7 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( ! handler )
 		{
-		reporter->Error("Comm::auto_event failed to lookup event '%s'",
+		reporter->Error("BrokerComm::auto_event failed to lookup event '%s'",
 		                event_val->Name());
 		return false;
 		}
@@ -302,14 +302,14 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags)
 	return true;
 	}
 
-bool comm::Manager::AutoEventStop(const string& topic, Val* event)
+bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event)
 	{
 	if ( ! Enabled() )
 		return false;
 
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
-		reporter->Error("Comm::auto_event_stop must operate on an event");
+		reporter->Error("BrokerComm::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -317,7 +317,7 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event)
 
 	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
 		{
-		reporter->Error("Comm::auto_event_stop must operate on an event");
+		reporter->Error("BrokerComm::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -325,7 +325,7 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event)
 
 	if ( ! handler )
 		{
-		reporter->Error("Comm::auto_event_stop failed to lookup event '%s'",
+		reporter->Error("BrokerComm::auto_event_stop failed to lookup event '%s'",
 		                event_val->Name());
 		return false;
 		}
@@ -335,12 +335,12 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event)
 	return true;
 	}
 
-RecordVal* comm::Manager::MakeEventArgs(val_list* args)
+RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 	{
 	if ( ! Enabled() )
 		return nullptr;
 
-	auto rval = new RecordVal(BifType::Record::Comm::EventArgs);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::EventArgs);
 	auto arg_vec = new VectorVal(vector_of_data_type);
 	rval->Assign(1, arg_vec);
 	Func* func = 0;
@@ -355,7 +355,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 
 			if ( arg_val->Type()->Tag() != TYPE_FUNC )
 				{
-				reporter->Error("1st param of Comm::event_args must be event");
+				reporter->Error("1st param of BrokerComm::event_args must be event");
 				return rval;
 				}
 
@@ -363,7 +363,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 
 			if ( func->Flavor() != FUNC_FLAVOR_EVENT )
 				{
-				reporter->Error("1st param of Comm::event_args must be event");
+				reporter->Error("1st param of BrokerComm::event_args must be event");
 				return rval;
 				}
 
@@ -371,7 +371,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 
 			if ( num_args != args->length() - 1 )
 				{
-				reporter->Error("bad # of Comm::event_args: got %d, expect %d",
+				reporter->Error("bad # of BrokerComm::event_args: got %d, expect %d",
 				                args->length(), num_args + 1);
 				return rval;
 				}
@@ -385,7 +385,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 		if ( ! same_type((*args)[i]->Type(), expected_type) )
 			{
 			rval->Assign(0, 0);
-			reporter->Error("Comm::event_args param %d type mismatch", i);
+			reporter->Error("BrokerComm::event_args param %d type mismatch", i);
 			return rval;
 			}
 
@@ -395,7 +395,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 			{
 			Unref(data_val);
 			rval->Assign(0, 0);
-			reporter->Error("Comm::event_args unsupported event/params");
+			reporter->Error("BrokerComm::event_args unsupported event/params");
 			return rval;
 			}
 
@@ -405,7 +405,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args)
 	return rval;
 	}
 
-bool comm::Manager::SubscribeToPrints(string topic_prefix)
+bool bro_broker::Manager::SubscribeToPrints(string topic_prefix)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -419,7 +419,7 @@ bool comm::Manager::SubscribeToPrints(string topic_prefix)
 	return true;
 	}
 
-bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix)
+bool bro_broker::Manager::UnsubscribeToPrints(const string& topic_prefix)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -427,7 +427,7 @@ bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix)
 	return print_subscriptions.erase(topic_prefix);
 	}
 
-bool comm::Manager::SubscribeToEvents(string topic_prefix)
+bool bro_broker::Manager::SubscribeToEvents(string topic_prefix)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -441,7 +441,7 @@ bool comm::Manager::SubscribeToEvents(string topic_prefix)
 	return true;
 	}
 
-bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix)
+bool bro_broker::Manager::UnsubscribeToEvents(const string& topic_prefix)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -449,7 +449,7 @@ bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix)
 	return event_subscriptions.erase(topic_prefix);
 	}
 
-bool comm::Manager::SubscribeToLogs(string topic_prefix)
+bool bro_broker::Manager::SubscribeToLogs(string topic_prefix)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -463,7 +463,7 @@ bool comm::Manager::SubscribeToLogs(string topic_prefix)
 	return true;
 	}
 
-bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix)
+bool bro_broker::Manager::UnsubscribeToLogs(const string& topic_prefix)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -471,7 +471,7 @@ bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix)
 	return log_subscriptions.erase(topic_prefix);
 	}
 
-bool comm::Manager::PublishTopic(broker::topic t)
+bool bro_broker::Manager::PublishTopic(broker::topic t)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -480,7 +480,7 @@ bool comm::Manager::PublishTopic(broker::topic t)
 	return true;
 	}
 
-bool comm::Manager::UnpublishTopic(broker::topic t)
+bool bro_broker::Manager::UnpublishTopic(broker::topic t)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -489,7 +489,7 @@ bool comm::Manager::UnpublishTopic(broker::topic t)
 	return true;
 	}
 
-bool comm::Manager::AdvertiseTopic(broker::topic t)
+bool bro_broker::Manager::AdvertiseTopic(broker::topic t)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -498,7 +498,7 @@ bool comm::Manager::AdvertiseTopic(broker::topic t)
 	return true;
 	}
 
-bool comm::Manager::UnadvertiseTopic(broker::topic t)
+bool bro_broker::Manager::UnadvertiseTopic(broker::topic t)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -507,7 +507,7 @@ bool comm::Manager::UnadvertiseTopic(broker::topic t)
 	return true;
 	}
 
-int comm::Manager::send_flags_to_int(Val* flags)
+int bro_broker::Manager::send_flags_to_int(Val* flags)
 	{
 	auto r = flags->AsRecordVal();
 	int rval = 0;
@@ -530,7 +530,7 @@ int comm::Manager::send_flags_to_int(Val* flags)
 	return rval;
 	}
 
-void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+void bro_broker::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
                            iosource::FD_Set* except)
 	{
 	read->Insert(endpoint->outgoing_connection_status().fd());
@@ -551,7 +551,7 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	read->Insert(broker::report::default_queue->fd());
 	}
 
-double comm::Manager::NextTimestamp(double* local_network_time)
+double bro_broker::Manager::NextTimestamp(double* local_network_time)
 	{
 	// TODO: do something better?
 	return timer_mgr->Time();
@@ -569,25 +569,25 @@ struct response_converter {
 		case broker::store::query::tag::lookup:
 			// A boolean result means the key doesn't exist (if it did, then
 			// the result would contain the broker::data value, not a bool).
-			return new RecordVal(BifType::Record::Comm::Data);
+			return new RecordVal(BifType::Record::BrokerComm::Data);
 		default:
-			return comm::make_data_val(broker::data{d});
+			return bro_broker::make_data_val(broker::data{d});
 		}
 		}
 
 	result_type operator()(uint64_t d)
 		{
-		return comm::make_data_val(broker::data{d});
+		return bro_broker::make_data_val(broker::data{d});
 		}
 
 	result_type operator()(broker::data& d)
 		{
-		return comm::make_data_val(move(d));
+		return bro_broker::make_data_val(move(d));
 		}
 
 	result_type operator()(std::vector<broker::data>& d)
 		{
-		return comm::make_data_val(broker::data{move(d)});
+		return bro_broker::make_data_val(broker::data{move(d)});
 		}
 
 	result_type operator()(broker::store::snapshot& d)
@@ -601,7 +601,7 @@ struct response_converter {
 			table[move(key)] = move(val);
 			}
 
-		return comm::make_data_val(broker::data{move(table)});
+		return bro_broker::make_data_val(broker::data{move(table)});
 		}
 };
 
@@ -610,7 +610,7 @@ static RecordVal* response_to_val(broker::store::response r)
 	return broker::visit(response_converter{r.request.type}, r.reply.value);
 	}
 
-void comm::Manager::Process()
+void bro_broker::Manager::Process()
 	{
 	bool idle = true;
 	auto outgoing_connection_updates =
@@ -627,36 +627,36 @@ void comm::Manager::Process()
 
 		switch ( u.status ) {
 		case broker::outgoing_connection_status::tag::established:
-			if ( Comm::outgoing_connection_established )
+			if ( BrokerComm::outgoing_connection_established )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Comm::outgoing_connection_established, vl);
+				mgr.QueueEvent(BrokerComm::outgoing_connection_established, vl);
 				}
 			break;
 
 		case broker::outgoing_connection_status::tag::disconnected:
-			if ( Comm::outgoing_connection_broken )
+			if ( BrokerComm::outgoing_connection_broken )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Comm::outgoing_connection_broken, vl);
+				mgr.QueueEvent(BrokerComm::outgoing_connection_broken, vl);
 				}
 			break;
 
 		case broker::outgoing_connection_status::tag::incompatible:
-			if ( Comm::outgoing_connection_incompatible )
+			if ( BrokerComm::outgoing_connection_incompatible )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Comm::outgoing_connection_incompatible, vl);
+				mgr.QueueEvent(BrokerComm::outgoing_connection_incompatible, vl);
 				}
 			break;
 
@@ -674,20 +674,20 @@ void comm::Manager::Process()
 
 		switch ( u.status ) {
 		case broker::incoming_connection_status::tag::established:
-			if ( Comm::incoming_connection_established )
+			if ( BrokerComm::incoming_connection_established )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Comm::incoming_connection_established, vl);
+				mgr.QueueEvent(BrokerComm::incoming_connection_established, vl);
 				}
 			break;
 
 		case broker::incoming_connection_status::tag::disconnected:
-			if ( Comm::incoming_connection_broken )
+			if ( BrokerComm::incoming_connection_broken )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Comm::incoming_connection_broken, vl);
+				mgr.QueueEvent(BrokerComm::incoming_connection_broken, vl);
 				}
 			break;
 
@@ -709,7 +709,7 @@ void comm::Manager::Process()
 		ps.second.received += print_messages.size();
 		idle = false;
 
-		if ( ! Comm::print_handler )
+		if ( ! BrokerComm::print_handler )
 			continue;
 
 		for ( auto& pm : print_messages )
@@ -732,7 +732,7 @@ void comm::Manager::Process()
 
 			val_list* vl = new val_list;
 			vl->append(new StringVal(move(*msg)));
-			mgr.QueueEvent(Comm::print_handler, vl);
+			mgr.QueueEvent(BrokerComm::print_handler, vl);
 			}
 		}
 
@@ -975,7 +975,7 @@ void comm::Manager::Process()
 	SetIdle(idle);
 	}
 
-bool comm::Manager::AddStore(StoreHandleVal* handle)
+bool bro_broker::Manager::AddStore(StoreHandleVal* handle)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -993,9 +993,9 @@ bool comm::Manager::AddStore(StoreHandleVal* handle)
 	return true;
 	}
 
-comm::StoreHandleVal*
-comm::Manager::LookupStore(const broker::store::identifier& id,
-                           comm::StoreType type)
+bro_broker::StoreHandleVal*
+bro_broker::Manager::LookupStore(const broker::store::identifier& id,
+                           bro_broker::StoreType type)
 	{
 	if ( ! Enabled() )
 		return nullptr;
@@ -1009,7 +1009,7 @@ comm::Manager::LookupStore(const broker::store::identifier& id,
 	return it->second;
 	}
 
-bool comm::Manager::CloseStore(const broker::store::identifier& id,
+bool bro_broker::Manager::CloseStore(const broker::store::identifier& id,
                                StoreType type)
 	{
 	if ( ! Enabled() )
@@ -1041,13 +1041,13 @@ bool comm::Manager::CloseStore(const broker::store::identifier& id,
 	return true;
 	}
 
-bool comm::Manager::TrackStoreQuery(StoreQueryCallback* cb)
+bool bro_broker::Manager::TrackStoreQuery(StoreQueryCallback* cb)
 	{
 	assert(Enabled());
 	return pending_queries.insert(cb).second;
 	}
 
-comm::Stats comm::Manager::ConsumeStatistics()
+bro_broker::Stats bro_broker::Manager::ConsumeStatistics()
 	{
 	statistics.outgoing_peer_count = peers.size();
 	statistics.data_store_count = data_stores.size();
diff --git a/src/comm/Manager.h b/src/comm/Manager.h
index 093d2da4d5..5ba85210db 100644
--- a/src/comm/Manager.h
+++ b/src/comm/Manager.h
@@ -12,11 +12,11 @@
 #include "iosource/IOSource.h"
 #include "Val.h"
 
-namespace comm {
+namespace bro_broker {
 
 /**
  * Communication statistics.  Some are tracked in relation to last
- * sample (comm::Manager::ConsumeStatistics()).
+ * sample (bro_broker::Manager::ConsumeStatistics()).
  */
 struct Stats {
 	// Number of outgoing peer connections (at time of sample).
@@ -58,20 +58,20 @@ public:
 	/**
 	 * Enable use of communication.
 	 * @param flags used to tune the local Broker endpoint's behavior.
-	 * See the Comm::EndpointFlags record type.
+	 * See the BrokerComm::EndpointFlags record type.
 	 * @return true if communication is successfully initialized.
 	 */
 	bool Enable(Val* flags);
 
 	/**
-	 * Changes endpoint flags originally supplied to comm::Manager::Enable().
+	 * Changes endpoint flags originally supplied to bro_broker::Manager::Enable().
 	 * @param flags the new behavior flags to use.
 	 * @return true if flags were changed.
 	 */
 	bool SetEndpointFlags(Val* flags);
 
 	/**
-	 * @return true if comm::Manager::Enable() has previously been called and
+	 * @return true if bro_broker::Manager::Enable() has previously been called and
 	 * it succeeded.
 	 */
 	bool Enabled()
@@ -103,10 +103,10 @@ public:
 
 	/**
 	 * Remove a remote connection.
-	 * @param addr the address used in comm::Manager::Connect().
-	 * @param port the port used in comm::Manager::Connect().
+	 * @param addr the address used in bro_broker::Manager::Connect().
+	 * @param port the port used in bro_broker::Manager::Connect().
 	 * @return true if the arguments match a previously successful call to
-	 * comm::Manager::Connect().
+	 * bro_broker::Manager::Connect().
 	 */
 	bool Disconnect(const std::string& addr, uint16_t port);
 
@@ -117,7 +117,7 @@ public:
 	 * of this topic name.
 	 * @param msg the string to send to peers.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the Comm::SendFlags record type.
+	 * See the BrokerComm::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Print(std::string topic, std::string msg, Val* flags);
@@ -130,7 +130,7 @@ public:
 	 * @param msg the event to send to peers, which is the name of the event
 	 * as a string followed by all of its arguments.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the Comm::SendFlags record type.
+	 * See the BrokerComm::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Event(std::string topic, broker::message msg, int flags);
@@ -141,9 +141,9 @@ public:
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
 	 * @param args the event and its arguments to send to peers.  See the
-	 * Comm::EventArgs record type.
+	 * BrokerComm::EventArgs record type.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the Comm::SendFlags record type.
+	 * See the BrokerComm::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Event(std::string topic, RecordVal* args, Val* flags);
@@ -155,7 +155,7 @@ public:
 	 * @param columns the data which comprises the log entry.
 	 * @param info the record type corresponding to the log's columns.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the Comm::SendFlags record type.
+	 * See the BrokerComm::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info,
@@ -169,15 +169,15 @@ public:
 	 * of this topic name.
 	 * @param event a Bro event value.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the Comm::SendFlags record type.
+	 * See the BrokerComm::SendFlags record type.
 	 * @return true if automatic event sending is now enabled.
 	 */
 	bool AutoEvent(std::string topic, Val* event, Val* flags);
 
 	/**
 	 * Stop automatically sending an event to peers upon local dispatch.
-	 * @param topic a topic originally given to comm::Manager::AutoEvent().
-	 * @param event an event originally given to comm::Manager::AutoEvent().
+	 * @param topic a topic originally given to bro_broker::Manager::AutoEvent().
+	 * @param event an event originally given to bro_broker::Manager::AutoEvent().
 	 * @return true if automatic events will no occur for the topic/event pair.
 	 */
 	bool AutoEventStop(const std::string& topic, Val* event);
@@ -203,7 +203,7 @@ public:
 	/**
 	 * Unregister interest in peer print messages.
 	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to comm::Manager::SubscribeToPrints().
+	 * to bro_broker::Manager::SubscribeToPrints().
 	 * @return true if interest in topic prefix is no longer advertised.
 	 */
 	bool UnsubscribeToPrints(const std::string& topic_prefix);
@@ -220,7 +220,7 @@ public:
 	/**
 	 * Unregister interest in peer event messages.
 	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to comm::Manager::SubscribeToEvents().
+	 * to bro_broker::Manager::SubscribeToEvents().
 	 * @return true if interest in topic prefix is no longer advertised.
 	 */
 	bool UnsubscribeToEvents(const std::string& topic_prefix);
@@ -237,7 +237,7 @@ public:
 	/**
 	 * Unregister interest in peer log messages.
 	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to comm::Manager::SubscribeToLogs().
+	 * to bro_broker::Manager::SubscribeToLogs().
 	 * @return true if interest in topic prefix is no longer advertised.
 	 */
 	bool UnsubscribeToLogs(const std::string& topic_prefix);
@@ -245,7 +245,7 @@ public:
 	/**
 	 * Allow sending messages to peers if associated with the given topic.
 	 * This has no effect if auto publication behavior is enabled via the flags
-	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
 	 * @param t a topic to allow messages to be published under.
 	 * @return true if successful.
 	 */
@@ -254,7 +254,7 @@ public:
 	/**
 	 * Disallow sending messages to peers if associated with the given topic.
 	 * This has no effect if auto publication behavior is enabled via the flags
-	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
 	 * @param t a topic to disallow messages to be published under.
 	 * @return true if successful.
 	 */
@@ -263,7 +263,7 @@ public:
 	/**
 	 * Allow advertising interest in the given topic to peers.
 	 * This has no effect if auto advertise behavior is enabled via the flags
-	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
 	 * @param t a topic to allow advertising interest/subscription to peers.
 	 * @return true if successful.
 	 */
@@ -272,7 +272,7 @@ public:
 	/**
 	 * Disallow advertising interest in the given topic to peers.
 	 * This has no effect if auto advertise behavior is enabled via the flags
-	 * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags().
+	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
 	 * @param t a topic to disallow advertising interest/subscription to peers.
 	 * @return true if successful.
 	 */
@@ -315,7 +315,7 @@ public:
 	Stats ConsumeStatistics();
 
 	/**
-	 * Convert Comm::SendFlags to int flags for use with broker::send().
+	 * Convert BrokerComm::SendFlags to int flags for use with broker::send().
 	 */
 	static int send_flags_to_int(Val* flags);
 
@@ -330,7 +330,7 @@ private:
 	void Process() override;
 
 	const char* Tag() override
-		{ return "Comm::Manager"; }
+		{ return "BrokerComm::Manager"; }
 
 	broker::endpoint& Endpoint()
 		{ return *endpoint; }
@@ -359,8 +359,8 @@ private:
 	static int send_flags_unsolicited_idx;
 };
 
-} // namespace comm
+} // namespace bro_broker
 
-extern comm::Manager* comm_mgr;
+extern bro_broker::Manager* broker_mgr;
 
 #endif // BRO_COMM_MANAGER_H
diff --git a/src/comm/Store.cc b/src/comm/Store.cc
index 453fdee34a..fd24ac7b90 100644
--- a/src/comm/Store.cc
+++ b/src/comm/Store.cc
@@ -10,16 +10,16 @@
 #include <rocksdb/db.h>
 #endif
 
-OpaqueType* comm::opaque_of_store_handle;
+OpaqueType* bro_broker::opaque_of_store_handle;
 
-comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
-                                     comm::StoreType arg_type,
-                                     broker::util::optional<BifEnum::Store::BackendType> arg_back,
+bro_broker::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
+                                     bro_broker::StoreType arg_type,
+                                     broker::util::optional<BifEnum::BrokerStore::BackendType> arg_back,
                                      RecordVal* backend_options, std::chrono::duration<double> resync)
 	: OpaqueVal(opaque_of_store_handle),
 	  store(), store_type(arg_type), backend_type(arg_back)
 	{
-	using BifEnum::Store::BackendType;
+	using BifEnum::BrokerStore::BackendType;
 	std::unique_ptr<broker::store::backend> backend;
 
 	if ( backend_type )
@@ -73,14 +73,14 @@ comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
 
 	switch ( store_type ) {
 	case StoreType::FRONTEND:
-		store = new broker::store::frontend(comm_mgr->Endpoint(), move(id));
+		store = new broker::store::frontend(broker_mgr->Endpoint(), move(id));
 		break;
 	case StoreType::MASTER:
-		store = new broker::store::master(comm_mgr->Endpoint(), move(id),
+		store = new broker::store::master(broker_mgr->Endpoint(), move(id),
 		                                  move(backend));
 		break;
 	case StoreType::CLONE:
-		store = new broker::store::clone(comm_mgr->Endpoint(), move(id), resync,
+		store = new broker::store::clone(broker_mgr->Endpoint(), move(id), resync,
 		                                 move(backend));
 		break;
 	default:
@@ -89,9 +89,9 @@ comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
 		}
 	}
 
-void comm::StoreHandleVal::ValDescribe(ODesc* d) const
+void bro_broker::StoreHandleVal::ValDescribe(ODesc* d) const
 	{
-	using BifEnum::Store::BackendType;
+	using BifEnum::BrokerStore::BackendType;
 	d->Add("broker::store::");
 
 	switch ( store_type ) {
@@ -133,9 +133,9 @@ void comm::StoreHandleVal::ValDescribe(ODesc* d) const
 	d->Add("}");
 	}
 
-IMPLEMENT_SERIAL(comm::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
+IMPLEMENT_SERIAL(bro_broker::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
 
-bool comm::StoreHandleVal::DoSerialize(SerialInfo* info) const
+bool bro_broker::StoreHandleVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_COMM_STORE_HANDLE_VAL, OpaqueVal);
 
@@ -156,7 +156,7 @@ bool comm::StoreHandleVal::DoSerialize(SerialInfo* info) const
 	return true;
 	}
 
-bool comm::StoreHandleVal::DoUnserialize(UnserialInfo* info)
+bool bro_broker::StoreHandleVal::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(OpaqueVal);
 
@@ -185,7 +185,7 @@ bool comm::StoreHandleVal::DoUnserialize(UnserialInfo* info)
 	broker::store::identifier id(id_str, len);
 	delete [] id_str;
 
-	auto handle = comm_mgr->LookupStore(id, static_cast<comm::StoreType>(type));
+	auto handle = broker_mgr->LookupStore(id, static_cast<bro_broker::StoreType>(type));
 
 	if ( ! handle )
 		{
diff --git a/src/comm/Store.h b/src/comm/Store.h
index 9a17d617e9..e132bf310d 100644
--- a/src/comm/Store.h
+++ b/src/comm/Store.h
@@ -10,7 +10,7 @@
 
 #include <broker/store/frontend.hh>
 
-namespace comm {
+namespace bro_broker {
 
 extern OpaqueType* opaque_of_store_handle;
 
@@ -25,9 +25,9 @@ enum StoreType {
 };
 
 /**
- * Create a Store::QueryStatus value.
+ * Create a BrokerStore::QueryStatus value.
  * @param success whether the query status should be set to success or failure.
- * @return a Store::QueryStatus value.
+ * @return a BrokerStore::QueryStatus value.
  */
 inline EnumVal* query_status(bool success)
 	{
@@ -37,34 +37,34 @@ inline EnumVal* query_status(bool success)
 
 	if ( ! store_query_status )
 		{
-		store_query_status = internal_type("Store::QueryStatus")->AsEnumType();
-		success_val = store_query_status->Lookup("Store", "SUCCESS");
-		failure_val = store_query_status->Lookup("Store", "FAILURE");
+		store_query_status = internal_type("BrokerStore::QueryStatus")->AsEnumType();
+		success_val = store_query_status->Lookup("BrokerStore", "SUCCESS");
+		failure_val = store_query_status->Lookup("BrokerStore", "FAILURE");
 		}
 
 	return new EnumVal(success ? success_val : failure_val, store_query_status);
 	}
 
 /**
- * @return a Store::QueryResult value that has a Store::QueryStatus indicating
+ * @return a BrokerStore::QueryResult value that has a BrokerStore::QueryStatus indicating
  * a failure.
  */
 inline RecordVal* query_result()
 	{
-	auto rval = new RecordVal(BifType::Record::Store::QueryResult);
+	auto rval = new RecordVal(BifType::Record::BrokerStore::QueryResult);
 	rval->Assign(0, query_status(false));
-	rval->Assign(1, new RecordVal(BifType::Record::Comm::Data));
+	rval->Assign(1, new RecordVal(BifType::Record::BrokerComm::Data));
 	return rval;
 	}
 
 /**
  * @param data the result of the query.
- * @return a Store::QueryResult value that has a Store::QueryStatus indicating
+ * @return a BrokerStore::QueryResult value that has a BrokerStore::QueryStatus indicating
  * a success.
  */
 inline RecordVal* query_result(RecordVal* data)
 	{
-	auto rval = new RecordVal(BifType::Record::Store::QueryResult);
+	auto rval = new RecordVal(BifType::Record::BrokerStore::QueryResult);
 	rval->Assign(0, query_status(true));
 	rval->Assign(1, data);
 	return rval;
@@ -129,8 +129,8 @@ class StoreHandleVal : public OpaqueVal {
 public:
 
 	StoreHandleVal(broker::store::identifier id,
-		       comm::StoreType arg_type,
-		       broker::util::optional<BifEnum::Store::BackendType> arg_back,
+		       bro_broker::StoreType arg_type,
+		       broker::util::optional<BifEnum::BrokerStore::BackendType> arg_back,
 		       RecordVal* backend_options,
 		       std::chrono::duration<double> resync = std::chrono::seconds(1));
 
@@ -139,8 +139,8 @@ public:
 	DECLARE_SERIAL(StoreHandleVal);
 
 	broker::store::frontend* store;
-	comm::StoreType store_type;
-	broker::util::optional<BifEnum::Store::BackendType> backend_type;
+	bro_broker::StoreType store_type;
+	broker::util::optional<BifEnum::BrokerStore::BackendType> backend_type;
 
 protected:
 
@@ -148,6 +148,6 @@ protected:
 		{}
 };
 
-} // namespace comm
+} // namespace bro_broker
 
 #endif // BRO_COMM_STORE_H
diff --git a/src/comm/comm.bif b/src/comm/comm.bif
index 23e163c748..2c930ba8a9 100644
--- a/src/comm/comm.bif
+++ b/src/comm/comm.bif
@@ -5,124 +5,124 @@
 #include "comm/Manager.h"
 %%}
 
-module Comm;
+module BrokerComm;
 
-type Comm::EndpointFlags: record;
+type BrokerComm::EndpointFlags: record;
 
 ## Enable use of communication.
 ##
 ## flags: used to tune the local Broker endpoint behavior.
 ##
 ## Returns: true if communication is successfully initialized.
-function Comm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool
+function BrokerComm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool
 	%{
-	return new Val(comm_mgr->Enable(flags), TYPE_BOOL);
+	return new Val(broker_mgr->Enable(flags), TYPE_BOOL);
 	%}
 
-## Changes endpoint flags originally supplied to :bro:see:`Comm::enable`.
+## Changes endpoint flags originally supplied to :bro:see:`BrokerComm::enable`.
 ##
 ## flags: the new endpoint behavior flags to use.
 ##
 ## Returns: true of flags were changed.
-function Comm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool
+function BrokerComm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool
 	%{
-	return new Val(comm_mgr->SetEndpointFlags(flags), TYPE_BOOL);
+	return new Val(broker_mgr->SetEndpointFlags(flags), TYPE_BOOL);
 	%}
 
 ## Allow sending messages to peers if associated with the given topic.
 ## This has no effect if auto publication behavior is enabled via the flags
-## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
 ##
 ## topic: a topic to allow messages to be published under.
 ##
 ## Returns: true if successful.
-function Comm::publish_topic%(topic: string%): bool
+function BrokerComm::publish_topic%(topic: string%): bool
 	%{
-	return new Val(comm_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
+	return new Val(broker_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Disallow sending messages to peers if associated with the given topic.
 ## This has no effect if auto publication behavior is enabled via the flags
-## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
 ##
 ## topic: a topic to disallow messages to be published under.
 ##
 ## Returns: true if successful.
-function Comm::unpublish_topic%(topic: string%): bool
+function BrokerComm::unpublish_topic%(topic: string%): bool
 	%{
-	return new Val(comm_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
+	return new Val(broker_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Allow advertising interest in the given topic to peers.
 ## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
 ##
 ## topic: a topic to allow advertising interest/subscription to peers.
 ##
 ## Returns: true if successful.
-function Comm::advertise_topic%(topic: string%): bool
+function BrokerComm::advertise_topic%(topic: string%): bool
 	%{
-	return new Val(comm_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
+	return new Val(broker_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Disallow advertising interest in the given topic to peers.
 ## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`.
+## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
 ##
 ## topic: a topic to disallow advertising interest/subscription to peers.
 ##
 ## Returns: true if successful.
-function Comm::unadvertise_topic%(topic: string%): bool
+function BrokerComm::unadvertise_topic%(topic: string%): bool
 	%{
-	return new Val(comm_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
+	return new Val(broker_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Generated when a connection has been established due to a previous call
-## to :bro:see:`Comm::connect`.
+## to :bro:see:`BrokerComm::connect`.
 ##
 ## peer_address: the address used to connect to the peer.
 ##
 ## peer_port: the port used to connect to the peer.
 ##
 ## peer_name: the name by which the peer identified itself.
-event Comm::outgoing_connection_established%(peer_address: string,
+event BrokerComm::outgoing_connection_established%(peer_address: string,
                                              peer_port: port,
                                              peer_name: string%);
 
 ## Generated when a previously established connection becomes broken.
 ## Reconnection will automatically be attempted at a frequency given
-## by the original call to :bro:see:`Comm::connect`.
+## by the original call to :bro:see:`BrokerComm::connect`.
 ##
 ## peer_address: the address used to connect to the peer.
 ##
 ## peer_port: the port used to connect to the peer.
 ##
-## .. bro:see:: Comm::outgoing_connection_established
-event Comm::outgoing_connection_broken%(peer_address: string,
+## .. bro:see:: BrokerComm::outgoing_connection_established
+event BrokerComm::outgoing_connection_broken%(peer_address: string,
                                         peer_port: port%);
 
-## Generated when a connection via :bro:see:`Comm::connect` has failed
+## Generated when a connection via :bro:see:`BrokerComm::connect` has failed
 ## because the remote side is incompatible.
 ##
 ## peer_address: the address used to connect to the peer.
 ##
 ## peer_port: the port used to connect to the peer.
-event Comm::outgoing_connection_incompatible%(peer_address: string,
+event BrokerComm::outgoing_connection_incompatible%(peer_address: string,
                                               peer_port: port%);
 
 ## Generated when a peer has established a connection with this process
-## as a result of previously performing a :bro:see:`Comm::listen`.
+## as a result of previously performing a :bro:see:`BrokerComm::listen`.
 ##
 ## peer_name: the name by which the peer identified itself.
-event Comm::incoming_connection_established%(peer_name: string%);
+event BrokerComm::incoming_connection_established%(peer_name: string%);
 
 ## Generated when a peer that previously established a connection with this
 ## process becomes disconnected.
 ##
 ## peer_name: the name by which the peer identified itself.
 ##
-## .. bro:see:: Comm::incoming_connection_established
-event Comm::incoming_connection_broken%(peer_name: string%);
+## .. bro:see:: BrokerComm::incoming_connection_established
+event BrokerComm::incoming_connection_broken%(peer_name: string%);
 
 ## Listen for remote connections.
 ##
@@ -135,8 +135,8 @@ event Comm::incoming_connection_broken%(peer_name: string%);
 ##
 ## Returns: true if the local endpoint is now listening for connections.
 ##
-## .. bro:see:: Comm::incoming_connection_established
-function Comm::listen%(p: port, a: string &default = "",
+## .. bro:see:: BrokerComm::incoming_connection_established
+function BrokerComm::listen%(p: port, a: string &default = "",
 					   reuse: bool &default = T%): bool
 	%{
 	if ( ! p->IsTCP() )
@@ -145,7 +145,7 @@ function Comm::listen%(p: port, a: string &default = "",
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
+	auto rval = broker_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
 								 reuse);
 	return new Val(rval, TYPE_BOOL);
 	%}
@@ -164,8 +164,8 @@ function Comm::listen%(p: port, a: string &default = "",
 ##          it's a new peer.  The actual connection may not be established
 ##          a later point in time.
 ##
-## .. bro:see:: Comm::outgoing_connection_established
-function Comm::connect%(a: string, p: port, retry: interval%): bool
+## .. bro:see:: BrokerComm::outgoing_connection_established
+function BrokerComm::connect%(a: string, p: port, retry: interval%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -173,20 +173,20 @@ function Comm::connect%(a: string, p: port, retry: interval%): bool
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = comm_mgr->Connect(a->CheckString(), p->Port(),
+	auto rval = broker_mgr->Connect(a->CheckString(), p->Port(),
 	                              std::chrono::duration<double>(retry));
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Remove a remote connection.
 ##
-## a: the address used in previous successful call to :bro:see:`Comm::connect`.
+## a: the address used in previous successful call to :bro:see:`BrokerComm::connect`.
 ##
-## p: the port used in previous successful call to :bro:see:`Comm::connect`.
+## p: the port used in previous successful call to :bro:see:`BrokerComm::connect`.
 ##
 ## Returns: true if the arguments match a previously successful call to
-##          :bro:see:`Comm::connect`.
-function Comm::disconnect%(a: string, p: port%): bool
+##          :bro:see:`BrokerComm::connect`.
+function BrokerComm::disconnect%(a: string, p: port%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -194,6 +194,6 @@ function Comm::disconnect%(a: string, p: port%): bool
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port());
+	auto rval = broker_mgr->Disconnect(a->CheckString(), p->Port());
 	return new Val(rval, TYPE_BOOL);
 	%}
diff --git a/src/comm/data.bif b/src/comm/data.bif
index 7120046920..7b2c52cb8c 100644
--- a/src/comm/data.bif
+++ b/src/comm/data.bif
@@ -5,9 +5,9 @@
 #include "comm/Data.h"
 %%}
 
-module Comm;
+module BrokerComm;
 
-## Enumerates the possible types that :bro:see:`Comm::Data` may be in terms of
+## Enumerates the possible types that :bro:see:`BrokerComm::Data` may be in terms of
 ## Bro data types.
 enum DataType %{
 	BOOL,
@@ -27,9 +27,9 @@ enum DataType %{
 	RECORD,
 %}
 
-type Comm::Data: record;
+type BrokerComm::Data: record;
 
-type Comm::TableItem: record;
+type BrokerComm::TableItem: record;
 
 ## Convert any Bro value in to communication data.
 ##
@@ -38,9 +38,9 @@ type Comm::TableItem: record;
 ## Returns: the converted communication data which may not set its only
 ##          opaque field of the the conversion was not possible (the Bro data
 ##          type does not support being converted to communicaiton data).
-function Comm::data%(d: any%): Comm::Data
+function BrokerComm::data%(d: any%): BrokerComm::Data
 	%{
-	return comm::make_data_val(d);
+	return bro_broker::make_data_val(d);
 	%}
 
 ## Retrieve the type of data associated with communication data.
@@ -48,153 +48,153 @@ function Comm::data%(d: any%): Comm::Data
 ## d: the communication data.
 ##
 ## Returns: the data type associated with the communication data.
-function Comm::data_type%(d: Comm::Data%): Comm::DataType
+function BrokerComm::data_type%(d: BrokerComm::Data%): BrokerComm::DataType
 	%{
-	return comm::get_data_type(d->AsRecordVal(), frame);
+	return bro_broker::get_data_type(d->AsRecordVal(), frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::BOOL` to
+## Convert communication data with a type of :bro:see:`BrokerComm::BOOL` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_bool%(d: Comm::Data%): bool
+function BrokerComm::refine_to_bool%(d: BrokerComm::Data%): bool
 	%{
-	return comm::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
+	return bro_broker::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::INT` to
+## Convert communication data with a type of :bro:see:`BrokerComm::INT` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_int%(d: Comm::Data%): int
+function BrokerComm::refine_to_int%(d: BrokerComm::Data%): int
 	%{
-	return comm::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
+	return bro_broker::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::COUNT` to
+## Convert communication data with a type of :bro:see:`BrokerComm::COUNT` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_count%(d: Comm::Data%): count
+function BrokerComm::refine_to_count%(d: BrokerComm::Data%): count
 	%{
-	return comm::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
+	return bro_broker::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::DOUBLE` to
+## Convert communication data with a type of :bro:see:`BrokerComm::DOUBLE` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_double%(d: Comm::Data%): double
+function BrokerComm::refine_to_double%(d: BrokerComm::Data%): double
 	%{
-	return comm::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
+	return bro_broker::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::STRING` to
+## Convert communication data with a type of :bro:see:`BrokerComm::STRING` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_string%(d: Comm::Data%): string
+function BrokerComm::refine_to_string%(d: BrokerComm::Data%): string
 	%{
-	return new StringVal(comm::require_data_type<std::string>(d->AsRecordVal(),
+	return new StringVal(bro_broker::require_data_type<std::string>(d->AsRecordVal(),
 												              TYPE_STRING,
 															  frame));
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::ADDR` to
+## Convert communication data with a type of :bro:see:`BrokerComm::ADDR` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_addr%(d: Comm::Data%): addr
+function BrokerComm::refine_to_addr%(d: BrokerComm::Data%): addr
 	%{
-	auto& a = comm::require_data_type<broker::address>(d->AsRecordVal(),
+	auto& a = bro_broker::require_data_type<broker::address>(d->AsRecordVal(),
 													   TYPE_ADDR, frame);
 	auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
 	return new AddrVal(IPAddr(*bits));
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::SUBNET` to
+## Convert communication data with a type of :bro:see:`BrokerComm::SUBNET` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_subnet%(d: Comm::Data%): subnet
+function BrokerComm::refine_to_subnet%(d: BrokerComm::Data%): subnet
 	%{
-	auto& a = comm::require_data_type<broker::subnet>(d->AsRecordVal(),
+	auto& a = bro_broker::require_data_type<broker::subnet>(d->AsRecordVal(),
 													  TYPE_SUBNET, frame);
 	auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes());
 	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::PORT` to
+## Convert communication data with a type of :bro:see:`BrokerComm::PORT` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_port%(d: Comm::Data%): port
+function BrokerComm::refine_to_port%(d: BrokerComm::Data%): port
 	%{
-	auto& a = comm::require_data_type<broker::port>(d->AsRecordVal(),
+	auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
 													TYPE_SUBNET, frame);
-	return new PortVal(a.number(), comm::to_bro_port_proto(a.type()));
+	return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::TIME` to
+## Convert communication data with a type of :bro:see:`BrokerComm::TIME` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_time%(d: Comm::Data%): time
+function BrokerComm::refine_to_time%(d: BrokerComm::Data%): time
 	%{
-	auto v = comm::require_data_type<broker::time_point>(d->AsRecordVal(),
+	auto v = bro_broker::require_data_type<broker::time_point>(d->AsRecordVal(),
 														TYPE_TIME, frame).value;
 	return new Val(v, TYPE_TIME);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::INTERVAL` to
+## Convert communication data with a type of :bro:see:`BrokerComm::INTERVAL` to
 ## an actual Bro value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the value retrieved from the communication data.
-function Comm::refine_to_interval%(d: Comm::Data%): interval
+function BrokerComm::refine_to_interval%(d: BrokerComm::Data%): interval
 	%{
-	auto v = comm::require_data_type<broker::time_duration>(d->AsRecordVal(),
+	auto v = bro_broker::require_data_type<broker::time_duration>(d->AsRecordVal(),
 														TYPE_TIME, frame).value;
 	return new Val(v, TYPE_INTERVAL);
 	%}
 
-## Convert communication data with a type of :bro:see:`Comm::ENUM` to
+## Convert communication data with a type of :bro:see:`BrokerComm::ENUM` to
 ## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
 ## the name to the actual enum value.
 ##
 ## d: the communication data to convert.
 ##
 ## Returns: the enum name retrieved from the communication data.
-function Comm::refine_to_enum_name%(d: Comm::Data%): string
+function BrokerComm::refine_to_enum_name%(d: BrokerComm::Data%): string
 	%{
-	auto& v = comm::require_data_type<broker::enum_value>(d->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::enum_value>(d->AsRecordVal(),
 														TYPE_ENUM, frame).name;
 	return new StringVal(v);
 	%}
 
 ## Create communication data of type "set".
-function Comm::set_create%(%): Comm::Data
+function BrokerComm::set_create%(%): BrokerComm::Data
 	%{
-	return comm::make_data_val(broker::set());
+	return bro_broker::make_data_val(broker::set());
 	%}
 
 ## Remove all elements within a set.
@@ -202,9 +202,9 @@ function Comm::set_create%(%): Comm::Data
 ## s: the set to clear.
 ##
 ## Returns: always true.
-function Comm::set_clear%(s: Comm::Data%): bool
+function BrokerComm::set_clear%(s: BrokerComm::Data%): bool
 	%{
-	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
 	v.clear();
 	return new Val(true, TYPE_BOOL);
@@ -215,9 +215,9 @@ function Comm::set_clear%(s: Comm::Data%): bool
 ## s: the set to query.
 ##
 ## Returns: the number of elements in the set.
-function Comm::set_size%(s: Comm::Data%): count
+function BrokerComm::set_size%(s: BrokerComm::Data%): count
 	%{
-	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
@@ -229,11 +229,11 @@ function Comm::set_size%(s: Comm::Data%): count
 ## key: the element to check for existence.
 ##
 ## Returns: true if the key exists in the set.
-function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool
+function BrokerComm::set_contains%(s: BrokerComm::Data, key: BrokerComm::Data%): bool
 	%{
-	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
@@ -244,11 +244,11 @@ function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool
 ## key: the element to insert.
 ##
 ## Returns: true if the key was inserted, or false if it already existed.
-function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool
+function BrokerComm::set_insert%(s: BrokerComm::Data, key: BrokerComm::Data%): bool
 	%{
-	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
 	return new Val(v.insert(k).second, TYPE_BOOL);
 	%}
 
@@ -259,11 +259,11 @@ function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool
 ## key: the element to remove.
 ##
 ## Returns: true if the element existed in the set and is now removed.
-function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool
+function BrokerComm::set_remove%(s: BrokerComm::Data, key: BrokerComm::Data%): bool
 	%{
-	auto& v = comm::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
 	return new Val(v.erase(k) > 0, TYPE_BOOL);
 	%}
 
@@ -273,9 +273,9 @@ function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool
 ## s: the set to iterate over.
 ##
 ## Returns: an iterator.
-function Comm::set_iterator%(s: Comm::Data%): opaque of Comm::SetIterator
+function BrokerComm::set_iterator%(s: BrokerComm::Data%): opaque of BrokerComm::SetIterator
 	%{
-	return new comm::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame);
+	return new bro_broker::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
 ## Check if there are no more elements to iterate over.
@@ -284,9 +284,9 @@ function Comm::set_iterator%(s: Comm::Data%): opaque of Comm::SetIterator
 ##
 ## Returns: true if there are no more elements to iterator over, i.e.
 ##          the iterator is one-past-the-final-element.
-function Comm::set_iterator_last%(it: opaque of Comm::SetIterator%): bool
+function BrokerComm::set_iterator_last%(it: opaque of BrokerComm::SetIterator%): bool
 	%{
-	auto set_it = static_cast<comm::SetIterator*>(it);
+	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 	return new Val(set_it->it == set_it->dat.end(), TYPE_BOOL);
 	%}
 
@@ -297,9 +297,9 @@ function Comm::set_iterator_last%(it: opaque of Comm::SetIterator%): bool
 ## Returns: true if the iterator, after advancing, still references an element
 ##          in the collection.  False if the iterator, after advancing, is
 ##          one-past-the-final-element.
-function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool
+function BrokerComm::set_iterator_next%(it: opaque of BrokerComm::SetIterator%): bool
 	%{
-	auto set_it = static_cast<comm::SetIterator*>(it);
+	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 
 	if ( set_it->it == set_it->dat.end() )
 		return new Val(false, TYPE_BOOL);
@@ -313,10 +313,10 @@ function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool
 ## it: an iterator.
 ##
 ## Returns: element in the collection that the iterator currently references.
-function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data
+function BrokerComm::set_iterator_value%(it: opaque of BrokerComm::SetIterator%): BrokerComm::Data
 	%{
-	auto set_it = static_cast<comm::SetIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	auto set_it = static_cast<bro_broker::SetIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
 
 	if ( set_it->it == set_it->dat.end() )
 		{
@@ -326,14 +326,14 @@ function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data
 		return rval;
 		}
 
-	rval->Assign(0, new comm::DataVal(*set_it->it));
+	rval->Assign(0, new bro_broker::DataVal(*set_it->it));
 	return rval;
 	%}
 
 ## Create communication data of type "table".
-function Comm::table_create%(%): Comm::Data
+function BrokerComm::table_create%(%): BrokerComm::Data
 	%{
-	return comm::make_data_val(broker::table());
+	return bro_broker::make_data_val(broker::table());
 	%}
 
 ## Remove all elements within a table.
@@ -341,9 +341,9 @@ function Comm::table_create%(%): Comm::Data
 ## t: the table to clear.
 ##
 ## Returns: always true.
-function Comm::table_clear%(t: Comm::Data%): bool
+function BrokerComm::table_clear%(t: BrokerComm::Data%): bool
 	%{
-	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
 	v.clear();
 	return new Val(true, TYPE_BOOL);
@@ -354,9 +354,9 @@ function Comm::table_clear%(t: Comm::Data%): bool
 ## t: the table to query.
 ##
 ## Returns: the number of elements in the table.
-function Comm::table_size%(t: Comm::Data%): count
+function BrokerComm::table_size%(t: BrokerComm::Data%): count
 	%{
-	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
@@ -368,11 +368,11 @@ function Comm::table_size%(t: Comm::Data%): count
 ## key: the key to check for existence.
 ##
 ## Returns: true if the key exists in the set.
-function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool
+function BrokerComm::table_contains%(t: BrokerComm::Data, key: BrokerComm::Data%): bool
 	%{
-	auto& v = comm::require_data_type<broker::table>(t->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
@@ -386,24 +386,24 @@ function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool
 ##
 ## Returns: true if the key-value pair was inserted, or false if the key
 ##          already existed in the table.
-function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%): Comm::Data
+function BrokerComm::table_insert%(t: BrokerComm::Data, key: BrokerComm::Data, val: BrokerComm::Data%): BrokerComm::Data
 	%{
-	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
+	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto& v = comm::opaque_field_to_data(val->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& v = bro_broker::opaque_field_to_data(val->AsRecordVal(), frame);
 
 	try
 		{
 		auto& prev = table.at(k);
-		auto rval = comm::make_data_val(move(prev));
+		auto rval = bro_broker::make_data_val(move(prev));
 		prev = v;
 		return rval;
 		}
 	catch (const std::out_of_range&)
 		{
 		table[k] = v;
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 		}
 	%}
 
@@ -415,18 +415,18 @@ function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%):
 ##
 ## Returns: the value associated with the key.  If the key did not exist, then
 ##          the optional field of the returned record is not set.
-function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data
+function BrokerComm::table_remove%(t: BrokerComm::Data, key: BrokerComm::Data%): BrokerComm::Data
 	%{
-	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
+	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
 	auto it = table.find(k);
 
 	if ( it == table.end() )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 	else
 		{
-		auto rval = comm::make_data_val(move(it->second));
+		auto rval = bro_broker::make_data_val(move(it->second));
 		table.erase(it);
 		return rval;
 		}
@@ -440,17 +440,17 @@ function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data
 ##
 ## Returns: the value associated with the key.  If the key did not exist, then
 ##          the optional field of the returned record is not set.
-function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data
+function BrokerComm::table_lookup%(t: BrokerComm::Data, key: BrokerComm::Data%): BrokerComm::Data
 	%{
-	auto& table = comm::require_data_type<broker::table>(t->AsRecordVal(),
+	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
-	auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame);
+	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
 	auto it = table.find(k);
 
 	if ( it == table.end() )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 	else
-		return comm::make_data_val(it->second);
+		return bro_broker::make_data_val(it->second);
 	%}
 
 ## Create an iterator for a table.  Note that this makes a copy of the table
@@ -459,9 +459,9 @@ function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data
 ## t: the table to iterate over.
 ##
 ## Returns: an iterator.
-function Comm::table_iterator%(t: Comm::Data%): opaque of Comm::TableIterator
+function BrokerComm::table_iterator%(t: BrokerComm::Data%): opaque of BrokerComm::TableIterator
 	%{
-	return new comm::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame);
+	return new bro_broker::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
 ## Check if there are no more elements to iterate over.
@@ -470,9 +470,9 @@ function Comm::table_iterator%(t: Comm::Data%): opaque of Comm::TableIterator
 ##
 ## Returns: true if there are no more elements to iterator over, i.e.
 ##          the iterator is one-past-the-final-element.
-function Comm::table_iterator_last%(it: opaque of Comm::TableIterator%): bool
+function BrokerComm::table_iterator_last%(it: opaque of BrokerComm::TableIterator%): bool
 	%{
-	auto ti = static_cast<comm::TableIterator*>(it);
+	auto ti = static_cast<bro_broker::TableIterator*>(it);
 	return new Val(ti->it == ti->dat.end(), TYPE_BOOL);
 	%}
 
@@ -483,9 +483,9 @@ function Comm::table_iterator_last%(it: opaque of Comm::TableIterator%): bool
 ## Returns: true if the iterator, after advancing, still references an element
 ##          in the collection.  False if the iterator, after advancing, is
 ##          one-past-the-final-element.
-function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool
+function BrokerComm::table_iterator_next%(it: opaque of BrokerComm::TableIterator%): bool
 	%{
-	auto ti = static_cast<comm::TableIterator*>(it);
+	auto ti = static_cast<bro_broker::TableIterator*>(it);
 
 	if ( ti->it == ti->dat.end() )
 		return new Val(false, TYPE_BOOL);
@@ -499,12 +499,12 @@ function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool
 ## it: an iterator.
 ##
 ## Returns: element in the collection that the iterator currently references.
-function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm::TableItem
+function BrokerComm::table_iterator_value%(it: opaque of BrokerComm::TableIterator%): BrokerComm::TableItem
 	%{
-	auto ti = static_cast<comm::TableIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::Comm::TableItem);
-	auto key_val = new RecordVal(BifType::Record::Comm::Data);
-	auto val_val = new RecordVal(BifType::Record::Comm::Data);
+	auto ti = static_cast<bro_broker::TableIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::TableItem);
+	auto key_val = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto val_val = new RecordVal(BifType::Record::BrokerComm::Data);
 	rval->Assign(0, key_val);
 	rval->Assign(1, val_val);
 
@@ -516,15 +516,15 @@ function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm::
 		return rval;
 		}
 
-	key_val->Assign(0, new comm::DataVal(ti->it->first));
-	val_val->Assign(0, new comm::DataVal(ti->it->second));
+	key_val->Assign(0, new bro_broker::DataVal(ti->it->first));
+	val_val->Assign(0, new bro_broker::DataVal(ti->it->second));
 	return rval;
 	%}
 
 ## Create communication data of type "vector".
-function Comm::vector_create%(%): Comm::Data
+function BrokerComm::vector_create%(%): BrokerComm::Data
 	%{
-	return comm::make_data_val(broker::vector());
+	return bro_broker::make_data_val(broker::vector());
 	%}
 
 ## Remove all elements within a vector.
@@ -532,9 +532,9 @@ function Comm::vector_create%(%): Comm::Data
 ## v: the vector to clear.
 ##
 ## Returns: always true.
-function Comm::vector_clear%(v: Comm::Data%): bool
+function BrokerComm::vector_clear%(v: BrokerComm::Data%): bool
 	%{
-	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 	vec.clear();
 	return new Val(true, TYPE_BOOL);
@@ -545,9 +545,9 @@ function Comm::vector_clear%(v: Comm::Data%): bool
 ## v: the vector to query.
 ##
 ## Returns: the number of elements in the vector.
-function Comm::vector_size%(v: Comm::Data%): count
+function BrokerComm::vector_size%(v: BrokerComm::Data%): count
 	%{
-	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
 	%}
@@ -563,11 +563,11 @@ function Comm::vector_size%(v: Comm::Data%): count
 ##      current size of the vector, the element is inserted at the end.
 ##
 ## Returns: always true.
-function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool
+function BrokerComm::vector_insert%(v: BrokerComm::Data, d: BrokerComm::Data, idx: count%): bool
 	%{
-	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
-	auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame);
+	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
 	idx = min(idx, static_cast<uint64_t>(vec.size()));
 	vec.insert(vec.begin() + idx, item);
 	return new Val(true, TYPE_BOOL);
@@ -583,16 +583,16 @@ function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool
 ##
 ## Returns: the value that was just evicted.  If the index was larger than any
 ##          valid index, the optional field of the returned record is not set.
-function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm::Data
+function BrokerComm::vector_replace%(v: BrokerComm::Data, d: BrokerComm::Data, idx: count%): BrokerComm::Data
 	%{
-	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
-	auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame);
+	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
 
 	if ( idx >= vec.size() )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 
-	auto rval = comm::make_data_val(move(vec[idx]));
+	auto rval = bro_broker::make_data_val(move(vec[idx]));
 	vec[idx] = item;
 	return rval;
 	%}
@@ -605,15 +605,15 @@ function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm:
 ##
 ## Returns: the value that was just evicted.  If the index was larger than any
 ##          valid index, the optional field of the returned record is not set.
-function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data
+function BrokerComm::vector_remove%(v: BrokerComm::Data, idx: count%): BrokerComm::Data
 	%{
-	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 
-	auto rval = comm::make_data_val(move(vec[idx]));
+	auto rval = bro_broker::make_data_val(move(vec[idx]));
 	vec.erase(vec.begin() + idx);
 	return rval;
 	%}
@@ -626,15 +626,15 @@ function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data
 ##
 ## Returns: the value at the index.  If the index was larger than any
 ##          valid index, the optional field of the returned record is not set.
-function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data
+function BrokerComm::vector_lookup%(v: BrokerComm::Data, idx: count%): BrokerComm::Data
 	%{
-	auto& vec = comm::require_data_type<broker::vector>(v->AsRecordVal(),
+	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 
-	return comm::make_data_val(vec[idx]);
+	return bro_broker::make_data_val(vec[idx]);
 	%}
 
 ## Create an iterator for a vector.  Note that this makes a copy of the vector
@@ -643,9 +643,9 @@ function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data
 ## v: the vector to iterate over.
 ##
 ## Returns: an iterator.
-function Comm::vector_iterator%(v: Comm::Data%): opaque of Comm::VectorIterator
+function BrokerComm::vector_iterator%(v: BrokerComm::Data%): opaque of BrokerComm::VectorIterator
 	%{
-	return new comm::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame);
+	return new bro_broker::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame);
 	%}
 
 ## Check if there are no more elements to iterate over.
@@ -654,9 +654,9 @@ function Comm::vector_iterator%(v: Comm::Data%): opaque of Comm::VectorIterator
 ##
 ## Returns: true if there are no more elements to iterator over, i.e.
 ##          the iterator is one-past-the-final-element.
-function Comm::vector_iterator_last%(it: opaque of Comm::VectorIterator%): bool
+function BrokerComm::vector_iterator_last%(it: opaque of BrokerComm::VectorIterator%): bool
 	%{
-	auto vi = static_cast<comm::VectorIterator*>(it);
+	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 	return new Val(vi->it == vi->dat.end(), TYPE_BOOL);
 	%}
 
@@ -667,9 +667,9 @@ function Comm::vector_iterator_last%(it: opaque of Comm::VectorIterator%): bool
 ## Returns: true if the iterator, after advancing, still references an element
 ##          in the collection.  False if the iterator, after advancing, is
 ##          one-past-the-final-element.
-function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool
+function BrokerComm::vector_iterator_next%(it: opaque of BrokerComm::VectorIterator%): bool
 	%{
-	auto vi = static_cast<comm::VectorIterator*>(it);
+	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 
 	if ( vi->it == vi->dat.end() )
 		return new Val(false, TYPE_BOOL);
@@ -683,10 +683,10 @@ function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool
 ## it: an iterator.
 ##
 ## Returns: element in the collection that the iterator currently references.
-function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm::Data
+function BrokerComm::vector_iterator_value%(it: opaque of BrokerComm::VectorIterator%): BrokerComm::Data
 	%{
-	auto vi = static_cast<comm::VectorIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	auto vi = static_cast<bro_broker::VectorIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
 
 	if ( vi->it == vi->dat.end() )
 		{
@@ -696,7 +696,7 @@ function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm
 		return rval;
 		}
 
-	rval->Assign(0, new comm::DataVal(*vi->it));
+	rval->Assign(0, new bro_broker::DataVal(*vi->it));
 	return rval;
 	%}
 
@@ -705,9 +705,9 @@ function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm
 ## sz: the number of fields in the record.
 ##
 ## Returns: record data, with all fields uninitialized.
-function Comm::record_create%(sz: count%): Comm::Data
+function BrokerComm::record_create%(sz: count%): BrokerComm::Data
 	%{
-	return comm::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
+	return bro_broker::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
 	%}
 
 ## Get the number of fields within a record.
@@ -715,9 +715,9 @@ function Comm::record_create%(sz: count%): Comm::Data
 ## r: the record to query.
 ##
 ## Returns: the number of fields in the record.
-function Comm::record_size%(r: Comm::Data%): count
+function BrokerComm::record_size%(r: BrokerComm::Data%): count
 	%{
-	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
 	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
 	%}
@@ -731,11 +731,11 @@ function Comm::record_size%(r: Comm::Data%): count
 ## idx: the index to replace.
 ##
 ## Returns: false if the index was larger than any valid index, else true.
-function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool
+function BrokerComm::record_assign%(r: BrokerComm::Data, d: BrokerComm::Data, idx: count%): bool
 	%{
-	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
-	auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame);
+	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
 
 	if ( idx >= v.fields.size() )
 		return new Val(false, TYPE_BOOL);
@@ -753,18 +753,18 @@ function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool
 ## Returns: the value at the index.  The optional field of the returned record
 ##          may not be set if the field of the record has no value or if the
 ##          the index was not valid.
-function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data
+function BrokerComm::record_lookup%(r: BrokerComm::Data, idx: count%): BrokerComm::Data
 	%{
-	auto& v = comm::require_data_type<broker::record>(r->AsRecordVal(),
+	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
 
 	if ( idx >= v.size() )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 
 	if ( ! v.fields[idx] )
-		return new RecordVal(BifType::Record::Comm::Data);
+		return new RecordVal(BifType::Record::BrokerComm::Data);
 
-	return comm::make_data_val(*v.fields[idx]);
+	return bro_broker::make_data_val(*v.fields[idx]);
 	%}
 
 ## Create an iterator for a record.  Note that this makes a copy of the record
@@ -773,9 +773,9 @@ function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data
 ## r: the record to iterate over.
 ##
 ## Returns: an iterator.
-function Comm::record_iterator%(r: Comm::Data%): opaque of Comm::RecordIterator
+function BrokerComm::record_iterator%(r: BrokerComm::Data%): opaque of BrokerComm::RecordIterator
 	%{
-	return new comm::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame);
+	return new bro_broker::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame);
 	%}
 
 ## Check if there are no more elements to iterate over.
@@ -784,9 +784,9 @@ function Comm::record_iterator%(r: Comm::Data%): opaque of Comm::RecordIterator
 ##
 ## Returns: true if there are no more elements to iterator over, i.e.
 ##          the iterator is one-past-the-final-element.
-function Comm::record_iterator_last%(it: opaque of Comm::RecordIterator%): bool
+function BrokerComm::record_iterator_last%(it: opaque of BrokerComm::RecordIterator%): bool
 	%{
-	auto ri = static_cast<comm::RecordIterator*>(it);
+	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
@@ -797,9 +797,9 @@ function Comm::record_iterator_last%(it: opaque of Comm::RecordIterator%): bool
 ## Returns: true if the iterator, after advancing, still references an element
 ##          in the collection.  False if the iterator, after advancing, is
 ##          one-past-the-final-element.
-function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool
+function BrokerComm::record_iterator_next%(it: opaque of BrokerComm::RecordIterator%): bool
 	%{
-	auto ri = static_cast<comm::RecordIterator*>(it);
+	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 
 	if ( ri->it == ri->dat.fields.end() )
 		return new Val(false, TYPE_BOOL);
@@ -813,10 +813,10 @@ function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool
 ## it: an iterator.
 ##
 ## Returns: element in the collection that the iterator currently references.
-function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm::Data
+function BrokerComm::record_iterator_value%(it: opaque of BrokerComm::RecordIterator%): BrokerComm::Data
 	%{
-	auto ri = static_cast<comm::RecordIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::Comm::Data);
+	auto ri = static_cast<bro_broker::RecordIterator*>(it);
+	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
 
 	if ( ri->it == ri->dat.fields.end() )
 		{
@@ -829,6 +829,6 @@ function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm
 	if ( ! *ri->it )
 		return rval; // field isn't set
 
-	rval->Assign(0, new comm::DataVal(**ri->it));
+	rval->Assign(0, new bro_broker::DataVal(**ri->it));
 	return rval;
 	%}
diff --git a/src/comm/messaging.bif b/src/comm/messaging.bif
index faa22c8126..c1d3bfe774 100644
--- a/src/comm/messaging.bif
+++ b/src/comm/messaging.bif
@@ -6,18 +6,18 @@
 #include "logging/Manager.h"
 %%}
 
-module Comm;
+module BrokerComm;
 
-type Comm::SendFlags: record;
+type BrokerComm::SendFlags: record;
 
-type Comm::EventArgs: record;
+type BrokerComm::EventArgs: record;
 
 ## Used to handle remote print messages from peers that call
-## :bro:see:`Comm::print`.
-event Comm::print_handler%(msg: string%);
+## :bro:see:`BrokerComm::print`.
+event BrokerComm::print_handler%(msg: string%);
 
 ## Print a simple message to any interested peers.  The receiver can use
-## :bro:see:`Comm::print_handler` to handle messages.
+## :bro:see:`BrokerComm::print_handler` to handle messages.
 ##
 ## topic: a topic associated with the printed message.
 ##
@@ -26,50 +26,50 @@ event Comm::print_handler%(msg: string%);
 ## flags: tune the behavior of how the message is sent.
 ##
 ## Returns: true if the message is sent.
-function Comm::print%(topic: string, msg: string,
+function BrokerComm::print%(topic: string, msg: string,
                       flags: SendFlags &default = SendFlags()%): bool
 	%{
-	auto rval = comm_mgr->Print(topic->CheckString(), msg->CheckString(),
+	auto rval = broker_mgr->Print(topic->CheckString(), msg->CheckString(),
 	                            flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Register interest in all peer print messages that use a certain topic prefix.
-## use :bro:see:`Comm::print_handler` to handle received messages.
+## use :bro:see:`BrokerComm::print_handler` to handle received messages.
 ##
 ## topic_prefix: a prefix to match against remote message topics.
 ##               e.g. an empty prefix matches everything and "a" matches
 ##               "alice" and "amy" but not "bob".
 ##
 ## Returns: true if it's a new print subscription and it is now registered.
-function Comm::subscribe_to_prints%(topic_prefix: string%): bool
+function BrokerComm::subscribe_to_prints%(topic_prefix: string%): bool
 	%{
-	auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString());
+	auto rval = broker_mgr->SubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Unregister interest in all peer print messages that use a topic prefix.
 ##
 ## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`Comm::subscribe_to_prints`.
+##               :bro:see:`BrokerComm::subscribe_to_prints`.
 ##
 ## Returns: true if interest in the topic prefix is no longer advertised.
-function Comm::unsubscribe_to_prints%(topic_prefix: string%): bool
+function BrokerComm::unsubscribe_to_prints%(topic_prefix: string%): bool
 	%{
-	auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
+	auto rval = broker_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Create a data structure that may be used to send a remote event via
-## :bro:see:`Comm::event`.
+## :bro:see:`BrokerComm::event`.
 ##
 ## args: an event, followed by a list of argument values that may be used
 ##       to call it.
 ##
 ## Returns: opaque communication data that may be used to send a remote event.
-function Comm::event_args%(...%): Comm::EventArgs
+function BrokerComm::event_args%(...%): BrokerComm::EventArgs
 	%{
-	auto rval = comm_mgr->MakeEventArgs(@ARGS@);
+	auto rval = broker_mgr->MakeEventArgs(@ARGS@);
 	return rval;
 	%}
 
@@ -77,15 +77,15 @@ function Comm::event_args%(...%): Comm::EventArgs
 ##
 ## topic: a topic associated with the event message.
 ##
-## args: event arguments as made by :bro:see:`Comm::event_args`.
+## args: event arguments as made by :bro:see:`BrokerComm::event_args`.
 ##
 ## flags: tune the behavior of how the message is sent.
 ##
 ## Returns: true if the message is sent.
-function Comm::event%(topic: string, args: Comm::EventArgs,
+function BrokerComm::event%(topic: string, args: BrokerComm::EventArgs,
                       flags: SendFlags &default = SendFlags()%): bool
 	%{
-	auto rval = comm_mgr->Event(topic->CheckString(), args->AsRecordVal(),
+	auto rval = broker_mgr->Event(topic->CheckString(), args->AsRecordVal(),
 	                            flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
@@ -102,23 +102,23 @@ function Comm::event%(topic: string, args: Comm::EventArgs,
 ## flags: tune the behavior of how the message is send.
 ##
 ## Returns: true if automatic event sending is now enabled.
-function Comm::auto_event%(topic: string, ev: any,
+function BrokerComm::auto_event%(topic: string, ev: any,
                            flags: SendFlags &default = SendFlags()%): bool
 	%{
-	auto rval = comm_mgr->AutoEvent(topic->CheckString(), ev, flags);
+	auto rval = broker_mgr->AutoEvent(topic->CheckString(), ev, flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Stop automatically sending an event to peers upon local dispatch.
 ##
-## topic: a topic originally given to :bro:see:`Comm::auto_event`.
+## topic: a topic originally given to :bro:see:`BrokerComm::auto_event`.
 ##
-## ev: an event originally given to :bro:see:`Comm::auto_event`.
+## ev: an event originally given to :bro:see:`BrokerComm::auto_event`.
 ##
 ## Returns: true if automatic events will no occur for the topic/event pair.
-function Comm::auto_event_stop%(topic: string, ev: any%): bool
+function BrokerComm::auto_event_stop%(topic: string, ev: any%): bool
 	%{
-	auto rval = comm_mgr->AutoEventStop(topic->CheckString(), ev);
+	auto rval = broker_mgr->AutoEventStop(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
@@ -129,21 +129,21 @@ function Comm::auto_event_stop%(topic: string, ev: any%): bool
 ##               "alice" and "amy" but not "bob".
 ##
 ## Returns: true if it's a new event subscription and it is now registered.
-function Comm::subscribe_to_events%(topic_prefix: string%): bool
+function BrokerComm::subscribe_to_events%(topic_prefix: string%): bool
 	%{
-	auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString());
+	auto rval = broker_mgr->SubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Unregister interest in all peer event messages that use a topic prefix.
 ##
 ## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`Comm::subscribe_to_events`.
+##               :bro:see:`BrokerComm::subscribe_to_events`.
 ##
 ## Returns: true if interest in the topic prefix is no longer advertised.
-function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
+function BrokerComm::unsubscribe_to_events%(topic_prefix: string%): bool
 	%{
-	auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
+	auto rval = broker_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
@@ -155,11 +155,11 @@ function Comm::unsubscribe_to_events%(topic_prefix: string%): bool
 ##
 ## Returns: true if remote logs are enabled for the stream.
 function
-Comm::enable_remote_logs%(id: Log::ID,
+BrokerComm::enable_remote_logs%(id: Log::ID,
                           flags: SendFlags &default = SendFlags()%): bool
 	%{
 	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
-	                                   comm::Manager::send_flags_to_int(flags));
+	                                   bro_broker::Manager::send_flags_to_int(flags));
 	return new Val(rval, TYPE_BOOL);
 	%}
 
@@ -168,14 +168,14 @@ Comm::enable_remote_logs%(id: Log::ID,
 ## id: the log stream to disable remote logs for.
 ##
 ## Returns: true if remote logs are disabled for the stream.
-function Comm::disable_remote_logs%(id: Log::ID%): bool
+function BrokerComm::disable_remote_logs%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Returns: true if remote logs are enabled for the given stream.
-function Comm::remote_logs_enabled%(id: Log::ID%): bool
+function BrokerComm::remote_logs_enabled%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
@@ -190,9 +190,9 @@ function Comm::remote_logs_enabled%(id: Log::ID%): bool
 ##               "alice" and "amy" but not "bob".
 ##
 ## Returns: true if it's a new log subscription and it is now registered.
-function Comm::subscribe_to_logs%(topic_prefix: string%): bool
+function BrokerComm::subscribe_to_logs%(topic_prefix: string%): bool
 	%{
-	auto rval = comm_mgr->SubscribeToLogs(topic_prefix->CheckString());
+	auto rval = broker_mgr->SubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
@@ -201,11 +201,11 @@ function Comm::subscribe_to_logs%(topic_prefix: string%): bool
 ## receiving side processes them through the logging framework as usual.
 ##
 ## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`Comm::subscribe_to_logs`.
+##               :bro:see:`BrokerComm::subscribe_to_logs`.
 ##
 ## Returns: true if interest in the topic prefix is no longer advertised.
-function Comm::unsubscribe_to_logs%(topic_prefix: string%): bool
+function BrokerComm::unsubscribe_to_logs%(topic_prefix: string%): bool
 	%{
-	auto rval = comm_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
+	auto rval = broker_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
diff --git a/src/comm/store.bif b/src/comm/store.bif
index 745b044be5..4f6c0570f7 100644
--- a/src/comm/store.bif
+++ b/src/comm/store.bif
@@ -8,13 +8,13 @@
 #include "Trigger.h"
 %%}
 
-module Store;
+module BrokerStore;
 
-type Store::ExpiryTime: record;
+type BrokerStore::ExpiryTime: record;
 
-type Store::QueryResult: record;
+type BrokerStore::QueryResult: record;
 
-type Store::BackendOptions: record;
+type BrokerStore::BackendOptions: record;
 
 ## Enumerates the possible storage backends.
 enum BackendType %{
@@ -32,12 +32,12 @@ enum BackendType %{
 ## options: tunes how some storage backends operate.
 ##
 ## Returns: a handle to the data store.
-function Store::create_master%(id: string, b: BackendType &default = MEMORY,
-                               options: BackendOptions &default = BackendOptions()%): opaque of Store::Handle
+function BrokerStore::create_master%(id: string, b: BackendType &default = MEMORY,
+                               options: BackendOptions &default = BackendOptions()%): opaque of BrokerStore::Handle
 	%{
 	auto id_str = id->CheckString();
-	auto type = comm::StoreType::MASTER;
-	auto rval = comm_mgr->LookupStore(id_str, type);
+	auto type = bro_broker::StoreType::MASTER;
+	auto rval = broker_mgr->LookupStore(id_str, type);
 
 	if ( rval )
 		{
@@ -45,10 +45,10 @@ function Store::create_master%(id: string, b: BackendType &default = MEMORY,
 		return rval;
 		}
 
-	rval = new comm::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
+	rval = new bro_broker::StoreHandleVal(id_str, type,
+	                                static_cast<BifEnum::BrokerStore::BackendType>(b->AsEnum()),
 	                                options->AsRecordVal());
-	assert(comm_mgr->AddStore(rval));
+	assert(broker_mgr->AddStore(rval));
 	return rval;
 	%}
 
@@ -74,13 +74,13 @@ function Store::create_master%(id: string, b: BackendType &default = MEMORY,
 ##         but updates will be lost until the master is once again available.
 ##
 ## Returns: a handle to the data store.
-function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
+function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY,
                               options: BackendOptions &default = BackendOptions(),
-                              resync: interval &default = 1sec%): opaque of Store::Handle
+                              resync: interval &default = 1sec%): opaque of BrokerStore::Handle
 	%{
 	auto id_str = id->CheckString();
-	auto type = comm::StoreType::CLONE;
-	auto rval = comm_mgr->LookupStore(id_str, type);
+	auto type = bro_broker::StoreType::CLONE;
+	auto rval = broker_mgr->LookupStore(id_str, type);
 
 	if ( rval )
 		{
@@ -88,11 +88,11 @@ function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
 		return rval;
 		}
 
-	rval = new comm::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::Store::BackendType>(b->AsEnum()),
+	rval = new bro_broker::StoreHandleVal(id_str, type,
+	                                static_cast<BifEnum::BrokerStore::BackendType>(b->AsEnum()),
 	                                options->AsRecordVal(),
 	                                std::chrono::duration<double>(resync));
-	assert(comm_mgr->AddStore(rval));
+	assert(broker_mgr->AddStore(rval));
 	return rval;
 	%}
 
@@ -102,11 +102,11 @@ function Store::create_clone%(id: string, b: BackendType &default = MEMORY,
 ## id: the unique name which identifies the master data store.
 ##
 ## Returns: a handle to the data store.
-function Store::create_frontend%(id: string%): opaque of Store::Handle
+function BrokerStore::create_frontend%(id: string%): opaque of BrokerStore::Handle
 	%{
 	auto id_str = id->CheckString();
-	auto type = comm::StoreType::FRONTEND;
-	auto rval = comm_mgr->LookupStore(id_str, type);
+	auto type = bro_broker::StoreType::FRONTEND;
+	auto rval = broker_mgr->LookupStore(id_str, type);
 
 	if ( rval )
 		{
@@ -114,8 +114,8 @@ function Store::create_frontend%(id: string%): opaque of Store::Handle
 		return rval;
 		}
 
-	rval = new comm::StoreHandleVal(id_str, type, {}, nullptr);
-	assert(comm_mgr->AddStore(rval));
+	rval = new bro_broker::StoreHandleVal(id_str, type, {}, nullptr);
+	assert(broker_mgr->AddStore(rval));
 	return rval;
 	%}
 
@@ -125,14 +125,14 @@ function Store::create_frontend%(id: string%): opaque of Store::Handle
 ##
 ## Returns: true if store was valid and is now closed.  The handle can no
 ##          longer be used for data store operations.
-function Store::close_by_handle%(h: opaque of Store::Handle%): bool
+function BrokerStore::close_by_handle%(h: opaque of BrokerStore::Handle%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	return new Val(comm_mgr->CloseStore(handle->store->id(),
+	return new Val(broker_mgr->CloseStore(handle->store->id(),
 										handle->store_type), TYPE_BOOL);
 	%}
 
@@ -151,17 +151,17 @@ function Store::close_by_handle%(h: opaque of Store::Handle%): bool
 ## e: the expiration time of the key-value pair.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::insert%(h: opaque of Store::Handle,
-                        k: Comm::Data, v: Comm::Data,
-                        e: Store::ExpiryTime &default = Store::ExpiryTime()%): bool
+function BrokerStore::insert%(h: opaque of BrokerStore::Handle,
+                        k: BrokerComm::Data, v: BrokerComm::Data,
+                        e: BrokerStore::ExpiryTime &default = BrokerStore::ExpiryTime()%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& val = comm::opaque_field_to_data(v->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& val = bro_broker::opaque_field_to_data(v->AsRecordVal(), frame);
 
 	using broker::store::expiration_time;
 
@@ -195,14 +195,14 @@ function Store::insert%(h: opaque of Store::Handle,
 ## k: the key to remove.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool
+function BrokerStore::erase%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
 	handle->store->erase(key);
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -212,9 +212,9 @@ function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool
 ## h: the handle of the store to modify.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::clear%(h: opaque of Store::Handle%): bool
+function BrokerStore::clear%(h: opaque of BrokerStore::Handle%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
@@ -233,15 +233,15 @@ function Store::clear%(h: opaque of Store::Handle%): bool
 ##     create it with an implicit value of zero before incrementing.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::increment%(h: opaque of Store::Handle,
-                           k: Comm::Data, by: int &default = +1%): bool
+function BrokerStore::increment%(h: opaque of BrokerStore::Handle,
+                           k: BrokerComm::Data, by: int &default = +1%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
 	handle->store->increment(key, by);
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -256,15 +256,15 @@ function Store::increment%(h: opaque of Store::Handle,
 ##     create it with an implicit value of zero before decrementing.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::decrement%(h: opaque of Store::Handle,
-                           k: Comm::Data, by: int &default = +1%): bool
+function BrokerStore::decrement%(h: opaque of BrokerStore::Handle,
+                           k: BrokerComm::Data, by: int &default = +1%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
 	handle->store->decrement(key, by);
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -279,16 +279,16 @@ function Store::decrement%(h: opaque of Store::Handle,
 ##          create it with an implicit empty set value before modifying.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::add_to_set%(h: opaque of Store::Handle,
-                            k: Comm::Data, element: Comm::Data%): bool
+function BrokerStore::add_to_set%(h: opaque of BrokerStore::Handle,
+                            k: BrokerComm::Data, element: BrokerComm::Data%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& ele = comm::opaque_field_to_data(element->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame);
 	handle->store->add_to_set(key, ele);
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -303,16 +303,16 @@ function Store::add_to_set%(h: opaque of Store::Handle,
 ##          implicitly create an empty set value associated with the key.
 ##
 ## Returns: false if the store handle was not valid.
-function Store::remove_from_set%(h: opaque of Store::Handle,
-                                 k: Comm::Data, element: Comm::Data%): bool
+function BrokerStore::remove_from_set%(h: opaque of BrokerStore::Handle,
+                                 k: BrokerComm::Data, element: BrokerComm::Data%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& ele = comm::opaque_field_to_data(element->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame);
 	handle->store->remove_from_set(key, ele);
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -327,21 +327,21 @@ function Store::remove_from_set%(h: opaque of Store::Handle,
 ##       create empty vector value before modifying.
 ##
 ## Returns: the handle of store to modify.
-function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data,
-                           items: Comm::DataVector%): bool
+function BrokerStore::push_left%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data,
+                           items: BrokerComm::DataVector%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
 	broker::vector items_vector;
 	auto items_vv = items->AsVector();
 
 	for ( auto i = 0u; i < items_vv->size(); ++i )
 		{
-		auto& item = comm::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
+		auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
 		                                        frame);
 		items_vector.emplace_back(item);
 		}
@@ -360,21 +360,21 @@ function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data,
 ##       create empty vector value before modifying.
 ##
 ## Returns: the handle of store to modify.
-function Store::push_right%(h: opaque of Store::Handle, k: Comm::Data,
-                            items: Comm::DataVector%): bool
+function BrokerStore::push_right%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data,
+                            items: BrokerComm::DataVector%): bool
 	%{
-	auto handle = static_cast<comm::StoreHandleVal*>(h);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
 	if ( ! handle->store )
 		return new Val(false, TYPE_BOOL);
 
-	auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame);
+	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
 	broker::vector items_vector;
 	auto items_vv = items->AsVector();
 
 	for ( auto i = 0u; i < items_vv->size(); ++i )
 		{
-		auto& item = comm::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
+		auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
 		                                        frame);
 		items_vector.emplace_back(item);
 		}
@@ -389,11 +389,11 @@ function Store::push_right%(h: opaque of Store::Handle, k: Comm::Data,
 
 %%{
 static bool prepare_for_query(Val* opaque, Frame* frame,
-			      comm::StoreHandleVal** handle,
+			      bro_broker::StoreHandleVal** handle,
 			      double* timeout,
-			      comm::StoreQueryCallback** cb)
+			      bro_broker::StoreQueryCallback** cb)
 	{
-	*handle = static_cast<comm::StoreHandleVal*>(opaque);
+	*handle = static_cast<bro_broker::StoreHandleVal*>(opaque);
 
 	if ( ! (*handle)->store )
 		return false;
@@ -403,7 +403,7 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 	if ( ! trigger )
 		{
 		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Store queries can only be called inside when-condition");
+		reporter->Error("BrokerStore queries can only be called inside when-condition");
 		reporter->PopLocation();
 		return false;
 		}
@@ -413,17 +413,17 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 	if ( *timeout < 0 )
 		{
 		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Store queries must specify a timeout block");
+		reporter->Error("BrokerStore queries must specify a timeout block");
 		reporter->PopLocation();
 		return false;
 		}
 
 	frame->SetDelayed();
 	trigger->Hold();
-	*cb = new comm::StoreQueryCallback(trigger, frame->GetCall(),
+	*cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
 					   (*handle)->store->id(),
 					   (*handle)->store_type);
-	comm_mgr->TrackStoreQuery(*cb);
+	broker_mgr->TrackStoreQuery(*cb);
 	return true;
 	}
 
@@ -436,25 +436,25 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 ## k: the key associated with the vector to modify.
 ##
 ## Returns: the result of the query.
-function Store::pop_left%(h: opaque of Store::Handle,
-                          k: Comm::Data%): Store::QueryResult
+function BrokerStore::pop_left%(h: opaque of BrokerStore::Handle,
+                          k: BrokerComm::Data%): BrokerStore::QueryResult
 	%{
-	if ( ! comm_mgr->Enabled() )
-		return comm::query_result();
+	if ( ! broker_mgr->Enabled() )
+		return bro_broker::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
 
 	if ( ! key )
-		return comm::query_result();
+		return bro_broker::query_result();
 
 	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
+	bro_broker::StoreQueryCallback* cb;
+	bro_broker::StoreHandleVal* handle;
 
 	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return comm::query_result();
+		return bro_broker::query_result();
 
-	handle->store->pop_left(static_cast<comm::DataVal*>(key)->data,
+	handle->store->pop_left(static_cast<bro_broker::DataVal*>(key)->data,
 	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
@@ -466,25 +466,25 @@ function Store::pop_left%(h: opaque of Store::Handle,
 ## k: the key associated with the vector to modify.
 ##
 ## Returns: the result of the query.
-function Store::pop_right%(h: opaque of Store::Handle,
-                           k: Comm::Data%): Store::QueryResult
+function BrokerStore::pop_right%(h: opaque of BrokerStore::Handle,
+                           k: BrokerComm::Data%): BrokerStore::QueryResult
 	%{
-	if ( ! comm_mgr->Enabled() )
-		return comm::query_result();
+	if ( ! broker_mgr->Enabled() )
+		return bro_broker::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
 
 	if ( ! key )
-		return comm::query_result();
+		return bro_broker::query_result();
 
 	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
+	bro_broker::StoreQueryCallback* cb;
+	bro_broker::StoreHandleVal* handle;
 
 	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return comm::query_result();
+		return bro_broker::query_result();
 
-	handle->store->pop_right(static_cast<comm::DataVal*>(key)->data,
+	handle->store->pop_right(static_cast<bro_broker::DataVal*>(key)->data,
 	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
@@ -496,25 +496,25 @@ function Store::pop_right%(h: opaque of Store::Handle,
 ## k: the key to lookup.
 ##
 ## Returns: the result of the query.
-function Store::lookup%(h: opaque of Store::Handle,
-                       k: Comm::Data%): Store::QueryResult
+function BrokerStore::lookup%(h: opaque of BrokerStore::Handle,
+                       k: BrokerComm::Data%): BrokerStore::QueryResult
 	%{
-	if ( ! comm_mgr->Enabled() )
-		return comm::query_result();
+	if ( ! broker_mgr->Enabled() )
+		return bro_broker::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
 
 	if ( ! key )
-		return comm::query_result();
+		return bro_broker::query_result();
 
 	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
+	bro_broker::StoreQueryCallback* cb;
+	bro_broker::StoreHandleVal* handle;
 
 	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return comm::query_result();
+		return bro_broker::query_result();
 
-	handle->store->lookup(static_cast<comm::DataVal*>(key)->data,
+	handle->store->lookup(static_cast<bro_broker::DataVal*>(key)->data,
 	                      std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
@@ -525,26 +525,26 @@ function Store::lookup%(h: opaque of Store::Handle,
 ##
 ## k: the key to check for existence.
 ##
-## Returns: the result of the query (uses :bro:see:`Comm::BOOL`).
-function Store::exists%(h: opaque of Store::Handle,
-                        k: Comm::Data%): Store::QueryResult
+## Returns: the result of the query (uses :bro:see:`BrokerComm::BOOL`).
+function BrokerStore::exists%(h: opaque of BrokerStore::Handle,
+                        k: BrokerComm::Data%): BrokerStore::QueryResult
 	%{
-	if ( ! comm_mgr->Enabled() )
-		return comm::query_result();
+	if ( ! broker_mgr->Enabled() )
+		return bro_broker::query_result();
 
 	Val* key = k->AsRecordVal()->Lookup(0);
 
 	if ( ! key )
-		return comm::query_result();
+		return bro_broker::query_result();
 
 	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
+	bro_broker::StoreQueryCallback* cb;
+	bro_broker::StoreHandleVal* handle;
 
 	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return comm::query_result();
+		return bro_broker::query_result();
 
-	handle->store->exists(static_cast<comm::DataVal*>(key)->data,
+	handle->store->exists(static_cast<bro_broker::DataVal*>(key)->data,
 	                      std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
@@ -553,15 +553,15 @@ function Store::exists%(h: opaque of Store::Handle,
 ##
 ## h: the handle of the store to query.
 ##
-## Returns: the result of the query (uses :bro:see:`Comm::VECTOR`).
-function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult
+## Returns: the result of the query (uses :bro:see:`BrokerComm::VECTOR`).
+function BrokerStore::keys%(h: opaque of BrokerStore::Handle%): BrokerStore::QueryResult
 	%{
 	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
+	bro_broker::StoreQueryCallback* cb;
+	bro_broker::StoreHandleVal* handle;
 
 	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return comm::query_result();
+		return bro_broker::query_result();
 
 	handle->store->keys(std::chrono::duration<double>(timeout), cb);
 	return 0;
@@ -571,18 +571,18 @@ function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult
 ##
 ## h: the handle of the store to query.
 ##
-## Returns: the result of the query (uses :bro:see:`Comm::COUNT`).
-function Store::size%(h: opaque of Store::Handle%): Store::QueryResult
+## Returns: the result of the query (uses :bro:see:`BrokerComm::COUNT`).
+function BrokerStore::size%(h: opaque of BrokerStore::Handle%): BrokerStore::QueryResult
 	%{
-	if ( ! comm_mgr->Enabled() )
-		return comm::query_result();
+	if ( ! broker_mgr->Enabled() )
+		return bro_broker::query_result();
 
 	double timeout;
-	comm::StoreQueryCallback* cb;
-	comm::StoreHandleVal* handle;
+	bro_broker::StoreQueryCallback* cb;
+	bro_broker::StoreHandleVal* handle;
 
 	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return comm::query_result();
+		return bro_broker::query_result();
 
 	handle->store->size(std::chrono::duration<double>(timeout), cb);
 	return 0;
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 34a8de26ed..63d21a4655 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -844,7 +844,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 
 #ifdef ENABLE_BROKER
 	if ( stream->enable_remote &&
-	     ! comm_mgr->Log(id, columns, stream->columns, stream->remote_flags) )
+	     ! broker_mgr->Log(id, columns, stream->columns, stream->remote_flags) )
 			stream->enable_remote = false;
 #endif
 
diff --git a/src/main.cc b/src/main.cc
index 13552bbbda..d186e67e4b 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -96,7 +96,7 @@ file_analysis::Manager* file_mgr = 0;
 broxygen::Manager* broxygen_mgr = 0;
 iosource::Manager* iosource_mgr = 0;
 #ifdef ENABLE_BROKER
-comm::Manager* comm_mgr = 0;
+bro_broker::Manager* broker_mgr = 0;
 #endif
 
 const char* prog;
@@ -860,7 +860,7 @@ int main(int argc, char** argv)
 	file_mgr = new file_analysis::Manager();
 
 #ifdef ENABLE_BROKER
-	comm_mgr = new comm::Manager();
+	broker_mgr = new bro_broker::Manager();
 #endif
 
 	plugin_mgr->InitPreScript();
diff --git a/testing/btest/Baseline/comm.clone_store/clone.clone.out b/testing/btest/Baseline/comm.clone_store/clone.clone.out
index 8a7c89a19b..017537fea9 100644
--- a/testing/btest/Baseline/comm.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/comm.clone_store/clone.clone.out
@@ -1,5 +1,5 @@
-clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]]
-lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]]
-lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
+lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
+lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
+lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
diff --git a/testing/btest/Baseline/comm.connection_updates/recv.recv.out b/testing/btest/Baseline/comm.connection_updates/recv.recv.out
index 3f2a1a9670..714cbfbac4 100644
--- a/testing/btest/Baseline/comm.connection_updates/recv.recv.out
+++ b/testing/btest/Baseline/comm.connection_updates/recv.recv.out
@@ -1,2 +1,2 @@
-Comm::incoming_connection_established, connector
-Comm::incoming_connection_broken, connector
+BrokerComm::incoming_connection_established, connector
+BrokerComm::incoming_connection_broken, connector
diff --git a/testing/btest/Baseline/comm.connection_updates/send.send.out b/testing/btest/Baseline/comm.connection_updates/send.send.out
index e23422e320..61c988d1c8 100644
--- a/testing/btest/Baseline/comm.connection_updates/send.send.out
+++ b/testing/btest/Baseline/comm.connection_updates/send.send.out
@@ -1 +1 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
diff --git a/testing/btest/Baseline/comm.data/out b/testing/btest/Baseline/comm.data/out
index eea78d39a2..628870144a 100644
--- a/testing/btest/Baseline/comm.data/out
+++ b/testing/btest/Baseline/comm.data/out
@@ -1,18 +1,18 @@
-Comm::BOOL
-Comm::INT
-Comm::COUNT
-Comm::DOUBLE
-Comm::STRING
-Comm::ADDR
-Comm::SUBNET
-Comm::PORT
-Comm::TIME
-Comm::INTERVAL
-Comm::ENUM
-Comm::SET
-Comm::TABLE
-Comm::VECTOR
-Comm::RECORD
+BrokerComm::BOOL
+BrokerComm::INT
+BrokerComm::COUNT
+BrokerComm::DOUBLE
+BrokerComm::STRING
+BrokerComm::ADDR
+BrokerComm::SUBNET
+BrokerComm::PORT
+BrokerComm::TIME
+BrokerComm::INTERVAL
+BrokerComm::ENUM
+BrokerComm::SET
+BrokerComm::TABLE
+BrokerComm::VECTOR
+BrokerComm::RECORD
 ***************************
 T
 F
@@ -29,7 +29,7 @@ hello
 22/tcp
 42.0
 180.0
-Comm::BOOL
+BrokerComm::BOOL
 ***************************
 {
 two,
diff --git a/testing/btest/Baseline/comm.master_store/master.out b/testing/btest/Baseline/comm.master_store/master.out
index defdc9a3e1..4208503151 100644
--- a/testing/btest/Baseline/comm.master_store/master.out
+++ b/testing/btest/Baseline/comm.master_store/master.out
@@ -1,14 +1,14 @@
-lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]]
-lookup(four): [status=Store::SUCCESS, result=[d=<uninitialized>]]
-lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]]
-exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]]
-pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]]
-pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]]
-keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=Store::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]]
+lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
+lookup(four): [status=BrokerStore::SUCCESS, result=[d=<uninitialized>]]
+lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
+lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
+exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
+exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
+exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
+pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]]
+pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]]
+keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
+size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]]
+size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/comm.remote_event/send.send.out
index 0e529e08fc..a29c1ecd1e 100644
--- a/testing/btest/Baseline/comm.remote_event/send.send.out
+++ b/testing/btest/Baseline/comm.remote_event/send.send.out
@@ -1,4 +1,4 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/comm.remote_log/send.send.out b/testing/btest/Baseline/comm.remote_log/send.send.out
index e2415290d6..d97ef33af1 100644
--- a/testing/btest/Baseline/comm.remote_log/send.send.out
+++ b/testing/btest/Baseline/comm.remote_log/send.send.out
@@ -1 +1 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/comm.remote_print/send.send.out
index 777afdc0d2..65d8ee79b7 100644
--- a/testing/btest/Baseline/comm.remote_print/send.send.out
+++ b/testing/btest/Baseline/comm.remote_print/send.send.out
@@ -1,4 +1,4 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got print msg, pong 0
 got print msg, pong 1
 got print msg, pong 2
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
index 1921e6596a..94ba920a43 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
@@ -5,19 +5,19 @@ connecting-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 		  peer_address, peer_port, peer_name;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
index 7516680533..d62ef6d059 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
@@ -5,21 +5,21 @@ connecting-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
-event Comm::incoming_connection_broken(peer_name: string)
+event BrokerComm::incoming_connection_broken(peer_name: string)
 	{
-	print "Comm::incoming_connection_broken", peer_name;
+	print "BrokerComm::incoming_connection_broken", peer_name;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
index 434e94d977..1a3dd47515 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
@@ -4,31 +4,31 @@ events-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
-	Comm::auto_event("bro/event/my_auto_event", my_auto_event);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2));
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
index a8b7c133ff..2b542f424b 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
@@ -5,21 +5,21 @@ events-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
index ae8c3b4ec5..8896075086 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
@@ -6,16 +6,16 @@ logs-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 redef Log::enable_local_logging = F;
 redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::enable_remote_logs(Test::LOG);
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event do_write()
@@ -28,16 +28,16 @@ event do_write()
 	event do_write();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
 	event do_write();
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
index 472229ea04..f13bc5ea3f 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
@@ -6,18 +6,18 @@ logs-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_logs("bro/log/Test::LOG");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_logs("bro/log/Test::LOG");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
index b796155c59..c6e5e90727 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
@@ -4,26 +4,26 @@ printing-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Comm::print("bro/print/hi", "hello");
-	Comm::print("bro/print/stuff", "...");
-	Comm::print("bro/print/bye", "goodbye");
+	BrokerComm::print("bro/print/hi", "hello");
+	BrokerComm::print("bro/print/stuff", "...");
+	BrokerComm::print("bro/print/bye", "goodbye");
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
index de6741d3c4..88a6c38f5f 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
@@ -5,22 +5,22 @@ printing-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 global msg_count = 0;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_prints("bro/print/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_prints("bro/print/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++msg_count;
 	print "got print message", msg;
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
index c5268417a6..ec345d5e10 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
@@ -5,42 +5,42 @@ stores-connector.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Store::create_master("mystore");
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	h = BrokerStore::create_master("mystore");
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{
 		print "master size", res;
 		event ready();
@@ -51,7 +51,7 @@ event Comm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1secs);
-	Comm::auto_event("bro/event/ready", ready);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::auto_event("bro/event/ready", ready);
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
index 38dc7ef34f..08b0de4aea 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
@@ -5,13 +5,13 @@ stores-listener.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -25,15 +25,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = Store::create_clone("mystore");
+	h = BrokerStore::create_clone("mystore");
 
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -41,7 +41,7 @@ event ready()
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/ready");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/ready");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
index e37b34c518..e60bd18ecb 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
@@ -18,6 +18,6 @@ export {
 
 event bro_init() &priority=5
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro
index fbf6b82443..769ab8df58 100644
--- a/testing/btest/comm/clone_store.bro
+++ b/testing/btest/comm/clone_store.bro
@@ -13,7 +13,7 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
@@ -21,7 +21,7 @@ global query_timeout = 15sec;
 
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -38,15 +38,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = Store::create_clone("mystore");
+	h = BrokerStore::create_clone("mystore");
 
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
 		}
 	timeout query_timeout
 		{
@@ -57,9 +57,9 @@ event ready()
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/ready");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/ready");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
 @TEST-END-FILE
@@ -71,42 +71,42 @@ global query_timeout = 15sec;
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Store::create_master("mystore");
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	h = BrokerStore::create_master("mystore");
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{ event ready(); }
 	timeout query_timeout
 		{
@@ -117,9 +117,9 @@ event Comm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::auto_event("bro/event/ready", ready);
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable();
+	BrokerComm::auto_event("bro/event/ready", ready);
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/comm/connection_updates.bro
index 67f66646c9..1bbe90ccb5 100644
--- a/testing/btest/comm/connection_updates.bro
+++ b/testing/btest/comm/connection_updates.bro
@@ -12,22 +12,22 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;;
+	print "BrokerComm::incoming_connection_established", peer_name;;
 	}
 
-event Comm::incoming_connection_broken(peer_name: string)
+event BrokerComm::incoming_connection_broken(peer_name: string)
 	{
-	print "Comm::incoming_connection_broken", peer_name;;
+	print "BrokerComm::incoming_connection_broken", peer_name;;
 	terminate();
 	}
 
@@ -37,19 +37,19 @@ event Comm::incoming_connection_broken(peer_name: string)
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;;
 	terminate();
 	}
diff --git a/testing/btest/comm/data.bro b/testing/btest/comm/data.bro
index a7de41be7a..bac7242c85 100644
--- a/testing/btest/comm/data.bro
+++ b/testing/btest/comm/data.bro
@@ -13,210 +13,210 @@ type bro_record : record {
 	c: count;
 };
 
-function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator,
+function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator,
                                            rval: bro_record,
                                            idx: count): bro_record
 	{
-	if ( Comm::record_iterator_last(it) )
+	if ( BrokerComm::record_iterator_last(it) )
 		return rval;
 
-	local field_value = Comm::record_iterator_value(it);
+	local field_value = BrokerComm::record_iterator_value(it);
 
 	if ( field_value?$d )
 		switch ( idx ) {
 		case 0:
-			rval$a = Comm::refine_to_string(field_value);
+			rval$a = BrokerComm::refine_to_string(field_value);
 			break;
 		case 1:
-			rval$b = Comm::refine_to_string(field_value);
+			rval$b = BrokerComm::refine_to_string(field_value);
 			break;
 		case 2:
-			rval$c = Comm::refine_to_count(field_value);
+			rval$c = BrokerComm::refine_to_count(field_value);
 			break;
 		};
 
 	++idx;
-	Comm::record_iterator_next(it);
+	BrokerComm::record_iterator_next(it);
 	return comm_record_to_bro_record_recurse(it, rval, idx);
 	}
 
-function comm_record_to_bro_record(d: Comm::Data): bro_record
+function comm_record_to_bro_record(d: BrokerComm::Data): bro_record
 	{
-	return comm_record_to_bro_record_recurse(Comm::record_iterator(d),
+	return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 
 function
-comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator,
+comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator,
                             rval: bro_set): bro_set
 	{
-	if ( Comm::set_iterator_last(it) )
+	if ( BrokerComm::set_iterator_last(it) )
 		return rval;
 
-	add rval[Comm::refine_to_string(Comm::set_iterator_value(it))];
-	Comm::set_iterator_next(it);
+	add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))];
+	BrokerComm::set_iterator_next(it);
 	return comm_set_to_bro_set_recurse(it, rval);
 	}
 
 
-function comm_set_to_bro_set(d: Comm::Data): bro_set
+function comm_set_to_bro_set(d: BrokerComm::Data): bro_set
 	{
-	return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set());
+	return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set());
 	}
 
 function
-comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator,
+comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator,
                                 rval: bro_table): bro_table
 	{
-	if ( Comm::table_iterator_last(it) )
+	if ( BrokerComm::table_iterator_last(it) )
 		return rval;
 
-	local item = Comm::table_iterator_value(it);
-	rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val);
-	Comm::table_iterator_next(it);
+	local item = BrokerComm::table_iterator_value(it);
+	rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val);
+	BrokerComm::table_iterator_next(it);
 	return comm_table_to_bro_table_recurse(it, rval);
 	}
 
-function comm_table_to_bro_table(d: Comm::Data): bro_table
+function comm_table_to_bro_table(d: BrokerComm::Data): bro_table
 	{
-	return comm_table_to_bro_table_recurse(Comm::table_iterator(d),
+	return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d),
 	                                       bro_table());
 	}
 
-function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator,
+function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator,
                                            rval: bro_vector): bro_vector
 	{
-	if ( Comm::vector_iterator_last(it) )
+	if ( BrokerComm::vector_iterator_last(it) )
 		return rval;
 
-	rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it));
-	Comm::vector_iterator_next(it);
+	rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it));
+	BrokerComm::vector_iterator_next(it);
 	return comm_vector_to_bro_vector_recurse(it, rval);
 	}
 
-function comm_vector_to_bro_vector(d: Comm::Data): bro_vector
+function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector
 	{
-	return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d),
+	return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d),
 	                                         bro_vector());
 	}
 
 event bro_init()
 {
-Comm::enable();
-print Comm::data_type(Comm::data(T));
-print Comm::data_type(Comm::data(+1));
-print Comm::data_type(Comm::data(1));
-print Comm::data_type(Comm::data(1.1));
-print Comm::data_type(Comm::data("1 (how creative)"));
-print Comm::data_type(Comm::data(1.1.1.1));
-print Comm::data_type(Comm::data(1.1.1.1/1));
-print Comm::data_type(Comm::data(1/udp));
-print Comm::data_type(Comm::data(double_to_time(1)));
-print Comm::data_type(Comm::data(1sec));
-print Comm::data_type(Comm::data(Comm::BOOL));
+BrokerComm::enable();
+print BrokerComm::data_type(BrokerComm::data(T));
+print BrokerComm::data_type(BrokerComm::data(+1));
+print BrokerComm::data_type(BrokerComm::data(1));
+print BrokerComm::data_type(BrokerComm::data(1.1));
+print BrokerComm::data_type(BrokerComm::data("1 (how creative)"));
+print BrokerComm::data_type(BrokerComm::data(1.1.1.1));
+print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1));
+print BrokerComm::data_type(BrokerComm::data(1/udp));
+print BrokerComm::data_type(BrokerComm::data(double_to_time(1)));
+print BrokerComm::data_type(BrokerComm::data(1sec));
+print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL));
 local s: bro_set = bro_set("one", "two", "three");
 local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
 local v: bro_vector = bro_vector("zero", "one", "two");
 local r: bro_record = bro_record($c = 1);
-print Comm::data_type(Comm::data(s));
-print Comm::data_type(Comm::data(t));
-print Comm::data_type(Comm::data(v));
-print Comm::data_type(Comm::data(r));
+print BrokerComm::data_type(BrokerComm::data(s));
+print BrokerComm::data_type(BrokerComm::data(t));
+print BrokerComm::data_type(BrokerComm::data(v));
+print BrokerComm::data_type(BrokerComm::data(r));
 
 print "***************************";
 
-print Comm::refine_to_bool(Comm::data(T));
-print Comm::refine_to_bool(Comm::data(F));
-print Comm::refine_to_int(Comm::data(+1));
-print Comm::refine_to_int(Comm::data(+0));
-print Comm::refine_to_int(Comm::data(-1));
-print Comm::refine_to_count(Comm::data(1));
-print Comm::refine_to_count(Comm::data(0));
-print Comm::refine_to_double(Comm::data(1.1));
-print Comm::refine_to_double(Comm::data(-11.1));
-print Comm::refine_to_string(Comm::data("hello"));
-print Comm::refine_to_addr(Comm::data(1.2.3.4));
-print Comm::refine_to_subnet(Comm::data(192.168.1.1/16));
-print Comm::refine_to_port(Comm::data(22/tcp));
-print Comm::refine_to_time(Comm::data(double_to_time(42)));
-print Comm::refine_to_interval(Comm::data(3min));
-print Comm::refine_to_enum_name(Comm::data(Comm::BOOL));
+print BrokerComm::refine_to_bool(BrokerComm::data(T));
+print BrokerComm::refine_to_bool(BrokerComm::data(F));
+print BrokerComm::refine_to_int(BrokerComm::data(+1));
+print BrokerComm::refine_to_int(BrokerComm::data(+0));
+print BrokerComm::refine_to_int(BrokerComm::data(-1));
+print BrokerComm::refine_to_count(BrokerComm::data(1));
+print BrokerComm::refine_to_count(BrokerComm::data(0));
+print BrokerComm::refine_to_double(BrokerComm::data(1.1));
+print BrokerComm::refine_to_double(BrokerComm::data(-11.1));
+print BrokerComm::refine_to_string(BrokerComm::data("hello"));
+print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4));
+print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16));
+print BrokerComm::refine_to_port(BrokerComm::data(22/tcp));
+print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42)));
+print BrokerComm::refine_to_interval(BrokerComm::data(3min));
+print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL));
 
 print "***************************";
 
-local cs = Comm::data(s);
+local cs = BrokerComm::data(s);
 print comm_set_to_bro_set(cs);
-cs = Comm::set_create();
-print Comm::set_size(cs);
-print Comm::set_insert(cs, Comm::data("hi"));
-print Comm::set_size(cs);
-print Comm::set_contains(cs, Comm::data("hi"));
-print Comm::set_contains(cs, Comm::data("bye"));
-print Comm::set_insert(cs, Comm::data("bye"));
-print Comm::set_size(cs);
-print Comm::set_remove(cs, Comm::data("hi"));
-print Comm::set_size(cs);
-print Comm::set_remove(cs, Comm::data("hi"));
+cs = BrokerComm::set_create();
+print BrokerComm::set_size(cs);
+print BrokerComm::set_insert(cs, BrokerComm::data("hi"));
+print BrokerComm::set_size(cs);
+print BrokerComm::set_contains(cs, BrokerComm::data("hi"));
+print BrokerComm::set_contains(cs, BrokerComm::data("bye"));
+print BrokerComm::set_insert(cs, BrokerComm::data("bye"));
+print BrokerComm::set_size(cs);
+print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
+print BrokerComm::set_size(cs);
+print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
 print comm_set_to_bro_set(cs);
-Comm::set_clear(cs);
-print Comm::set_size(cs);
+BrokerComm::set_clear(cs);
+print BrokerComm::set_size(cs);
 
 print "***************************";
 
-local ct = Comm::data(t);
+local ct = BrokerComm::data(t);
 print comm_table_to_bro_table(ct);
-ct = Comm::table_create();
-print Comm::table_size(ct);
-print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42));
-print Comm::table_size(ct);
-print Comm::table_contains(ct, Comm::data("hi"));
-print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi")));
-print Comm::table_contains(ct, Comm::data("bye"));
-print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7));
-print Comm::table_size(ct);
-print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37));
-print Comm::table_size(ct);
-print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye")));
-print Comm::table_remove(ct, Comm::data("hi"));
-print Comm::table_size(ct);
+ct = BrokerComm::table_create();
+print BrokerComm::table_size(ct);
+print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42));
+print BrokerComm::table_size(ct);
+print BrokerComm::table_contains(ct, BrokerComm::data("hi"));
+print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi")));
+print BrokerComm::table_contains(ct, BrokerComm::data("bye"));
+print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7));
+print BrokerComm::table_size(ct);
+print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37));
+print BrokerComm::table_size(ct);
+print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye")));
+print BrokerComm::table_remove(ct, BrokerComm::data("hi"));
+print BrokerComm::table_size(ct);
 
 print "***************************";
 
-local cv = Comm::data(v);
+local cv = BrokerComm::data(v);
 print comm_vector_to_bro_vector(cv);
-cv = Comm::vector_create();
-print Comm::vector_size(cv);
-print Comm::vector_insert(cv, Comm::data("hi"), 0);
-print Comm::vector_insert(cv, Comm::data("hello"), 1);
-print Comm::vector_insert(cv, Comm::data("greetings"), 2);
-print Comm::vector_insert(cv, Comm::data("salutations"), 1);
+cv = BrokerComm::vector_create();
+print BrokerComm::vector_size(cv);
+print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0);
+print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1);
+print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2);
+print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1);
 print comm_vector_to_bro_vector(cv);
-print Comm::vector_size(cv);
-print Comm::vector_replace(cv, Comm::data("bah"), 2);
-print Comm::vector_lookup(cv, 2);
-print Comm::vector_lookup(cv, 0);
+print BrokerComm::vector_size(cv);
+print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2);
+print BrokerComm::vector_lookup(cv, 2);
+print BrokerComm::vector_lookup(cv, 0);
 print comm_vector_to_bro_vector(cv);
-print Comm::vector_remove(cv, 2);
+print BrokerComm::vector_remove(cv, 2);
 print comm_vector_to_bro_vector(cv);
-print Comm::vector_size(cv);
+print BrokerComm::vector_size(cv);
 
 print "***************************";
 
-local cr = Comm::data(r);
+local cr = BrokerComm::data(r);
 print comm_record_to_bro_record(cr);
 r$a = "test";
-cr = Comm::data(r);
+cr = BrokerComm::data(r);
 print comm_record_to_bro_record(cr);
 r$b = "testagain";
-cr = Comm::data(r);
+cr = BrokerComm::data(r);
 print comm_record_to_bro_record(cr);
-cr = Comm::record_create(3);
-print Comm::record_size(cr);
-print Comm::record_assign(cr, Comm::data("hi"), 0);
-print Comm::record_assign(cr, Comm::data("hello"), 1);
-print Comm::record_assign(cr, Comm::data(37), 2);
-print Comm::record_lookup(cr, 0);
-print Comm::record_lookup(cr, 1);
-print Comm::record_lookup(cr, 2);
-print Comm::record_size(cr);
+cr = BrokerComm::record_create(3);
+print BrokerComm::record_size(cr);
+print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0);
+print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1);
+print BrokerComm::record_assign(cr, BrokerComm::data(37), 2);
+print BrokerComm::record_lookup(cr, 0);
+print BrokerComm::record_lookup(cr, 1);
+print BrokerComm::record_lookup(cr, 2);
+print BrokerComm::record_size(cr);
 }
diff --git a/testing/btest/comm/master_store.bro b/testing/btest/comm/master_store.bro
index bf1919a510..2672043f62 100644
--- a/testing/btest/comm/master_store.bro
+++ b/testing/btest/comm/master_store.bro
@@ -6,7 +6,7 @@
 
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global lookup_count = 0;
 const lookup_expect_count = 5;
 global exists_count = 0;
@@ -20,13 +20,13 @@ global query_timeout = 5sec;
 
 event test_clear()
 	{
-	Store::clear(h);
+	BrokerStore::clear(h);
 	event test_size("after clear");
 	}
 
 event test_size(where: string)
 	{
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{
 		if ( where == "" )
 			{
@@ -52,7 +52,7 @@ event test_size(where: string)
 
 event test_keys()
 	{
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print fmt("keys: %s", res);
 		event test_size();
@@ -66,7 +66,7 @@ event test_keys()
 
 event test_pop(key: string)
 	{
-	when ( local lres = Store::pop_left(h, Comm::data(key)) )
+	when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) )
 		{
 		print fmt("pop_left(%s): %s", key, lres);
 		++pop_count;
@@ -83,7 +83,7 @@ event test_pop(key: string)
 			event test_keys();
 		}
 
-	when ( local rres = Store::pop_right(h, Comm::data(key)) )
+	when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) )
 		{
 		print fmt("pop_right(%s): %s", key, rres);
 		++pop_count;
@@ -103,7 +103,7 @@ event test_pop(key: string)
 
 function do_exists(key: string)
 	{
-	when ( local res = Store::exists(h, Comm::data(key)) )
+	when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) )
 		{
 		print fmt("exists(%s): %s", key, res);
 		++exists_count;
@@ -123,7 +123,7 @@ function do_exists(key: string)
 
 event test_erase()
 	{
-	Store::erase(h, Comm::data("two"));
+	BrokerStore::erase(h, BrokerComm::data("two"));
 	do_exists("one");
 	do_exists("two");
 	do_exists("myset");
@@ -132,7 +132,7 @@ event test_erase()
 
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		print fmt("lookup(%s): %s", key, res);
 		++lookup_count;
@@ -150,29 +150,29 @@ function do_lookup(key: string)
 		}
 	}
 
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 event bro_init()
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Store::create_master("master");
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	h = BrokerStore::create_master("master");
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 	do_lookup("one");
 	do_lookup("two");
 	do_lookup("myset");
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test
index 8950cb9e1e..6dbf8e77a0 100644
--- a/testing/btest/comm/remote_event.test
+++ b/testing/btest/comm/remote_event.test
@@ -18,10 +18,10 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/");
-	Comm::auto_event("bro/event/my_topic", auto_event_handler);
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/");
+	BrokerComm::auto_event("bro/event/my_topic", auto_event_handler);
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
 global event_count = 0;
@@ -39,8 +39,8 @@ event event_handler(msg: string, n: count)
 		}
 
 	event auto_event_handler(msg, n);
-	local args = Comm::event_args(event_handler, "pong", n);
-	Comm::event("bro/event/my_topic", args);
+	local args = BrokerComm::event_args(event_handler, "pong", n);
+	BrokerComm::event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -55,24 +55,24 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/my_topic");
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global event_count = 0;
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
-	local args = Comm::event_args(event_handler, "ping", event_count);
-	Comm::event("bro/event/hi", args);
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
+	local args = BrokerComm::event_args(event_handler, "ping", event_count);
+	BrokerComm::event("bro/event/hi", args);
 	++event_count;
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
@@ -81,8 +81,8 @@ event Comm::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = Comm::event_args(event_handler, "ping", event_count);
-    Comm::event("bro/event/hi", args);
+	local args = BrokerComm::event_args(event_handler, "ping", event_count);
+    BrokerComm::event("bro/event/hi", args);
 	++event_count;
 	}
 
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test
index dbd30e5b0b..d481f0ae25 100644
--- a/testing/btest/comm/remote_log.test
+++ b/testing/btest/comm/remote_log.test
@@ -28,7 +28,7 @@ export {
 
 event bro_init() &priority=5
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
 
@@ -41,8 +41,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::subscribe_to_logs("bro/log/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::subscribe_to_logs("bro/log/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
 event Test::log_test(rec: Test::Info)
@@ -62,8 +62,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable_remote_logs(Test::LOG);
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global n = 0;
@@ -80,15 +80,15 @@ event do_write()
 		}
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
 	event do_write();
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test
index d77bc92e9c..b6430ec3be 100644
--- a/testing/btest/comm/remote_print.test
+++ b/testing/btest/comm/remote_print.test
@@ -15,16 +15,16 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_prints("bro/print/");
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
+	BrokerComm::subscribe_to_prints("bro/print/");
 	}
 
 global messages_to_recv = 6;
 global messages_sent = 0;
 global messages_recv = 0;
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
@@ -35,7 +35,7 @@ event Comm::print_handler(msg: string)
 		return;
 		}
 
-	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -48,35 +48,35 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_prints("bro/print/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_prints("bro/print/my_topic");
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global messages_sent = 0;
 global messages_recv = 0;
 global peer_disconnected = F;
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
+	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
index 1921e6596a..94ba920a43 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
@@ -5,19 +5,19 @@ connecting-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 		  peer_address, peer_port, peer_name;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
index 7516680533..d62ef6d059 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
@@ -5,21 +5,21 @@ connecting-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
-event Comm::incoming_connection_broken(peer_name: string)
+event BrokerComm::incoming_connection_broken(peer_name: string)
 	{
-	print "Comm::incoming_connection_broken", peer_name;
+	print "BrokerComm::incoming_connection_broken", peer_name;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
index 434e94d977..1a3dd47515 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
@@ -4,31 +4,31 @@ events-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
-	Comm::auto_event("bro/event/my_auto_event", my_auto_event);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2));
+	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2));
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
index a8b7c133ff..2b542f424b 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
@@ -5,21 +5,21 @@ events-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
index ae8c3b4ec5..8896075086 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
@@ -6,16 +6,16 @@ logs-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 redef Log::enable_local_logging = F;
 redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::enable_remote_logs(Test::LOG);
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event do_write()
@@ -28,16 +28,16 @@ event do_write()
 	event do_write();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
 	event do_write();
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
index 472229ea04..f13bc5ea3f 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
@@ -6,18 +6,18 @@ logs-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_logs("bro/log/Test::LOG");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_logs("bro/log/Test::LOG");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
index b796155c59..c6e5e90727 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
@@ -4,26 +4,26 @@ printing-connector.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "connector";
+redef BrokerComm::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1sec);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established",
+	print "BrokerComm::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Comm::print("bro/print/hi", "hello");
-	Comm::print("bro/print/stuff", "...");
-	Comm::print("bro/print/bye", "goodbye");
+	BrokerComm::print("bro/print/hi", "hello");
+	BrokerComm::print("bro/print/stuff", "...");
+	BrokerComm::print("bro/print/bye", "goodbye");
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
index de6741d3c4..88a6c38f5f 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
@@ -5,22 +5,22 @@ printing-listener.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef Comm::endpoint_name = "listener";
+redef BrokerComm::endpoint_name = "listener";
 global msg_count = 0;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_prints("bro/print/");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_prints("bro/print/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 
-event Comm::incoming_connection_established(peer_name: string)
+event BrokerComm::incoming_connection_established(peer_name: string)
 	{
-	print "Comm::incoming_connection_established", peer_name;
+	print "BrokerComm::incoming_connection_established", peer_name;
 	}
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++msg_count;
 	print "got print message", msg;
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
index c5268417a6..ec345d5e10 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
@@ -5,42 +5,42 @@ stores-connector.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Store::create_master("mystore");
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	h = BrokerStore::create_master("mystore");
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{
 		print "master size", res;
 		event ready();
@@ -51,7 +51,7 @@ event Comm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::connect("127.0.0.1", broker_port, 1secs);
-	Comm::auto_event("bro/event/ready", ready);
+	BrokerComm::enable();
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::auto_event("bro/event/ready", ready);
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
index 38dc7ef34f..08b0de4aea 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
@@ -5,13 +5,13 @@ stores-listener.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -25,15 +25,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = Store::create_clone("mystore");
+	h = BrokerStore::create_clone("mystore");
 
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -41,7 +41,7 @@ event ready()
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/ready");
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/ready");
+	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
index e37b34c518..e60bd18ecb 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
@@ -18,6 +18,6 @@ export {
 
 event bro_init() &priority=5
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}

From 9e53722b574db4738b82e0d29873c31d60227dca Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 5 Mar 2015 17:02:25 -0600
Subject: [PATCH 093/109] Rename comm/ directories to broker/

---
 doc/frameworks/{comm.rst => broker.rst}       | 24 +++++++++----------
 .../{comm => broker}/connecting-connector.bro |  0
 .../{comm => broker}/connecting-listener.bro  |  0
 .../{comm => broker}/events-connector.bro     |  0
 .../{comm => broker}/events-listener.bro      |  0
 .../{comm => broker}/logs-connector.bro       |  0
 .../{comm => broker}/logs-listener.bro        |  0
 .../{comm => broker}/printing-connector.bro   |  0
 .../{comm => broker}/printing-listener.bro    |  0
 .../{comm => broker}/stores-connector.bro     |  0
 .../{comm => broker}/stores-listener.bro      |  0
 doc/frameworks/{comm => broker}/testlog.bro   |  0
 doc/frameworks/index.rst                      |  2 +-
 .../frameworks/{comm => broker}/__load__.bro  |  0
 .../base/frameworks/{comm => broker}/main.bro |  0
 scripts/base/init-bare.bro                    |  2 +-
 src/CMakeLists.txt                            |  4 ++--
 src/EventHandler.cc                           |  4 ++--
 src/Net.cc                                    |  2 +-
 src/Stats.cc                                  |  2 +-
 .../CMakeLists.txt                            |  4 ++--
 src/{comm-dummy => broker-dummy}/comm.bif     |  0
 src/{comm-dummy => broker-dummy}/data.bif     |  0
 .../messaging.bif                             |  0
 src/{comm-dummy => broker-dummy}/store.bif    |  0
 src/{comm => broker}/CMakeLists.txt           |  4 ++--
 src/{comm => broker}/Data.cc                  |  2 +-
 src/{comm => broker}/Data.h                   |  0
 src/{comm => broker}/Manager.cc               |  8 +++----
 src/{comm => broker}/Manager.h                |  2 +-
 src/{comm => broker}/Store.cc                 |  2 +-
 src/{comm => broker}/Store.h                  |  4 ++--
 src/{comm => broker}/comm.bif                 |  2 +-
 src/{comm => broker}/data.bif                 |  2 +-
 src/{comm => broker}/messaging.bif            |  2 +-
 src/{comm => broker}/store.bif                |  6 ++---
 src/logging/Manager.cc                        |  2 +-
 src/main.cc                                   |  2 +-
 .../clone.clone.out                           |  0
 .../master.master.out                         |  0
 .../recv.recv.out                             |  0
 .../send.send.out                             |  0
 .../Baseline/{comm.data => broker.data}/out   |  0
 .../master.out                                |  0
 .../recv.recv.out                             |  0
 .../send.send.out                             |  0
 .../recv.recv.out                             |  0
 .../recv.test.log                             |  0
 .../send.send.out                             |  0
 .../send.test.log                             |  0
 .../recv.recv.out                             |  0
 .../send.send.out                             |  0
 .../canonified_loaded_scripts.log             |  4 ++--
 .../canonified_loaded_scripts.log             |  4 ++--
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 .../output                                    |  0
 testing/btest/Baseline/plugins.hooks/output   | 22 ++++++++---------
 .../btest/{comm => broker}/clone_store.bro    |  0
 .../{comm => broker}/connection_updates.bro   |  0
 testing/btest/{comm => broker}/data.bro       |  0
 .../btest/{comm => broker}/master_store.bro   |  0
 .../btest/{comm => broker}/remote_event.test  |  0
 .../btest/{comm => broker}/remote_log.test    |  0
 .../btest/{comm => broker}/remote_print.test  |  0
 testing/btest/btest.cfg                       |  2 +-
 ...rks_broker_connecting-connector_bro.btest} |  0
 ...orks_broker_connecting-listener_bro.btest} |  0
 ...meworks_broker_events-connector_bro.btest} |  0
 ...ameworks_broker_events-listener_bro.btest} |  0
 ...rameworks_broker_logs-connector_bro.btest} |  0
 ...frameworks_broker_logs-listener_bro.btest} |  0
 ...works_broker_printing-connector_bro.btest} |  0
 ...eworks_broker_printing-listener_bro.btest} |  0
 ...meworks_broker_stores-connector_bro.btest} |  0
 ...ameworks_broker_stores-listener_bro.btest} |  0
 ...e-doc_frameworks_broker_testlog_bro.btest} |  0
 85 files changed, 57 insertions(+), 57 deletions(-)
 rename doc/frameworks/{comm.rst => broker.rst} (90%)
 rename doc/frameworks/{comm => broker}/connecting-connector.bro (100%)
 rename doc/frameworks/{comm => broker}/connecting-listener.bro (100%)
 rename doc/frameworks/{comm => broker}/events-connector.bro (100%)
 rename doc/frameworks/{comm => broker}/events-listener.bro (100%)
 rename doc/frameworks/{comm => broker}/logs-connector.bro (100%)
 rename doc/frameworks/{comm => broker}/logs-listener.bro (100%)
 rename doc/frameworks/{comm => broker}/printing-connector.bro (100%)
 rename doc/frameworks/{comm => broker}/printing-listener.bro (100%)
 rename doc/frameworks/{comm => broker}/stores-connector.bro (100%)
 rename doc/frameworks/{comm => broker}/stores-listener.bro (100%)
 rename doc/frameworks/{comm => broker}/testlog.bro (100%)
 rename scripts/base/frameworks/{comm => broker}/__load__.bro (100%)
 rename scripts/base/frameworks/{comm => broker}/main.bro (100%)
 rename src/{comm-dummy => broker-dummy}/CMakeLists.txt (73%)
 rename src/{comm-dummy => broker-dummy}/comm.bif (100%)
 rename src/{comm-dummy => broker-dummy}/data.bif (100%)
 rename src/{comm-dummy => broker-dummy}/messaging.bif (100%)
 rename src/{comm-dummy => broker-dummy}/store.bif (100%)
 rename src/{comm => broker}/CMakeLists.txt (82%)
 rename src/{comm => broker}/Data.cc (99%)
 rename src/{comm => broker}/Data.h (100%)
 rename src/{comm => broker}/Manager.cc (99%)
 rename src/{comm => broker}/Manager.h (99%)
 rename src/{comm => broker}/Store.cc (99%)
 rename src/{comm => broker}/Store.h (98%)
 rename src/{comm => broker}/comm.bif (99%)
 rename src/{comm => broker}/data.bif (99%)
 rename src/{comm => broker}/messaging.bif (99%)
 rename src/{comm => broker}/store.bif (99%)
 rename testing/btest/Baseline/{comm.clone_store => broker.clone_store}/clone.clone.out (100%)
 rename testing/btest/Baseline/{comm.clone_store => broker.clone_store}/master.master.out (100%)
 rename testing/btest/Baseline/{comm.connection_updates => broker.connection_updates}/recv.recv.out (100%)
 rename testing/btest/Baseline/{comm.connection_updates => broker.connection_updates}/send.send.out (100%)
 rename testing/btest/Baseline/{comm.data => broker.data}/out (100%)
 rename testing/btest/Baseline/{comm.master_store => broker.master_store}/master.out (100%)
 rename testing/btest/Baseline/{comm.remote_event => broker.remote_event}/recv.recv.out (100%)
 rename testing/btest/Baseline/{comm.remote_event => broker.remote_event}/send.send.out (100%)
 rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/recv.recv.out (100%)
 rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/recv.test.log (100%)
 rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/send.send.out (100%)
 rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/send.test.log (100%)
 rename testing/btest/Baseline/{comm.remote_print => broker.remote_print}/recv.recv.out (100%)
 rename testing/btest/Baseline/{comm.remote_print => broker.remote_print}/send.send.out (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro => doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro => doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_events-connector_bro => doc.sphinx.include-doc_frameworks_broker_events-connector_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_events-listener_bro => doc.sphinx.include-doc_frameworks_broker_events-listener_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_logs-connector_bro => doc.sphinx.include-doc_frameworks_broker_logs-connector_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_logs-listener_bro => doc.sphinx.include-doc_frameworks_broker_logs-listener_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_printing-connector_bro => doc.sphinx.include-doc_frameworks_broker_printing-connector_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_printing-listener_bro => doc.sphinx.include-doc_frameworks_broker_printing-listener_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_stores-connector_bro => doc.sphinx.include-doc_frameworks_broker_stores-connector_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_stores-listener_bro => doc.sphinx.include-doc_frameworks_broker_stores-listener_bro}/output (100%)
 rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_testlog_bro => doc.sphinx.include-doc_frameworks_broker_testlog_bro}/output (100%)
 rename testing/btest/{comm => broker}/clone_store.bro (100%)
 rename testing/btest/{comm => broker}/connection_updates.bro (100%)
 rename testing/btest/{comm => broker}/data.bro (100%)
 rename testing/btest/{comm => broker}/master_store.bro (100%)
 rename testing/btest/{comm => broker}/remote_event.test (100%)
 rename testing/btest/{comm => broker}/remote_log.test (100%)
 rename testing/btest/{comm => broker}/remote_print.test (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_connecting-connector_bro.btest => include-doc_frameworks_broker_connecting-connector_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_connecting-listener_bro.btest => include-doc_frameworks_broker_connecting-listener_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_events-connector_bro.btest => include-doc_frameworks_broker_events-connector_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_events-listener_bro.btest => include-doc_frameworks_broker_events-listener_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_logs-connector_bro.btest => include-doc_frameworks_broker_logs-connector_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_logs-listener_bro.btest => include-doc_frameworks_broker_logs-listener_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_printing-connector_bro.btest => include-doc_frameworks_broker_printing-connector_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_printing-listener_bro.btest => include-doc_frameworks_broker_printing-listener_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_stores-connector_bro.btest => include-doc_frameworks_broker_stores-connector_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_stores-listener_bro.btest => include-doc_frameworks_broker_stores-listener_bro.btest} (100%)
 rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_testlog_bro.btest => include-doc_frameworks_broker_testlog_bro.btest} (100%)

diff --git a/doc/frameworks/comm.rst b/doc/frameworks/broker.rst
similarity index 90%
rename from doc/frameworks/comm.rst
rename to doc/frameworks/broker.rst
index 0c0dd80845..26006089d1 100644
--- a/doc/frameworks/comm.rst
+++ b/doc/frameworks/broker.rst
@@ -1,5 +1,5 @@
 
-.. _comm-framework:
+.. _brokercomm-framework:
 
 ======================================
 Broker-Enabled Communication Framework
@@ -27,7 +27,7 @@ and then monitor connection status updates via
 :bro:see:`BrokerComm::incoming_connection_established` and
 :bro:see:`BrokerComm::incoming_connection_broken`.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-listener.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro
 
 Bro can initiate outgoing connections by calling :bro:see:`BrokerComm::connect`
 and then monitor connection status updates via
@@ -35,7 +35,7 @@ and then monitor connection status updates via
 :bro:see:`BrokerComm::outgoing_connection_broken`, and
 :bro:see:`BrokerComm::outgoing_connection_incompatible`.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-connector.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro
 
 Remote Printing
 ===============
@@ -46,11 +46,11 @@ prefix of interest and then create an event handler for
 :bro:see:`BrokerComm::print_handler` to handle any print messages that are
 received.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-listener.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-listener.bro
 
 To send remote print messages, just call :bro:see:`BrokerComm::print`.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-connector.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-connector.bro
 
 Notice that the subscriber only used the prefix "bro/print/", but is
 able to receive messages with full topics of "bro/print/hi",
@@ -75,7 +75,7 @@ Receiving remote events is similar to remote prints.  Just use
 :bro:see:`BrokerComm::subscribe_to_events` and possibly define any new events
 along with handlers that peers may want to send.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/events-listener.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro
 
 To send events, there are two choices.  The first is to use call
 :bro:see:`BrokerComm::event` directly.  The second option is to use
@@ -83,7 +83,7 @@ To send events, there are two choices.  The first is to use call
 automatically sent to peers whenever it is called locally via the normal
 event invocation syntax.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/events-connector.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro
 
 Again, the subscription model is prefix-based.
 
@@ -105,20 +105,20 @@ parameter of the message.
 Remote Logging
 ==============
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/testlog.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro
 
 Use :bro:see:`BrokerComm::subscribe_to_logs` to advertise interest in logs
 written by peers.  The topic names that Bro uses are implicitly of the
 form "bro/log/<stream-name>".
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-listener.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro
 
 To send remote logs either use :bro:see:`Log::enable_remote_logging` or
 :bro:see:`BrokerComm::enable_remote_logs`.  The former allows any log stream
 to be sent to peers while the later toggles remote logging for
 particular streams.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-connector.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro
 
 Message Format
 --------------
@@ -189,9 +189,9 @@ Data stores also support expiration on a per-key basis either using an
 absolute point in time or a relative amount of time since the entry's
 last modification time.
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-listener.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-listener.bro
 
-.. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-connector.bro
+.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro
 
 In the above example, if a local copy of the store contents isn't
 needed, just replace the :bro:see:`BrokerStore::create_clone` call with
diff --git a/doc/frameworks/comm/connecting-connector.bro b/doc/frameworks/broker/connecting-connector.bro
similarity index 100%
rename from doc/frameworks/comm/connecting-connector.bro
rename to doc/frameworks/broker/connecting-connector.bro
diff --git a/doc/frameworks/comm/connecting-listener.bro b/doc/frameworks/broker/connecting-listener.bro
similarity index 100%
rename from doc/frameworks/comm/connecting-listener.bro
rename to doc/frameworks/broker/connecting-listener.bro
diff --git a/doc/frameworks/comm/events-connector.bro b/doc/frameworks/broker/events-connector.bro
similarity index 100%
rename from doc/frameworks/comm/events-connector.bro
rename to doc/frameworks/broker/events-connector.bro
diff --git a/doc/frameworks/comm/events-listener.bro b/doc/frameworks/broker/events-listener.bro
similarity index 100%
rename from doc/frameworks/comm/events-listener.bro
rename to doc/frameworks/broker/events-listener.bro
diff --git a/doc/frameworks/comm/logs-connector.bro b/doc/frameworks/broker/logs-connector.bro
similarity index 100%
rename from doc/frameworks/comm/logs-connector.bro
rename to doc/frameworks/broker/logs-connector.bro
diff --git a/doc/frameworks/comm/logs-listener.bro b/doc/frameworks/broker/logs-listener.bro
similarity index 100%
rename from doc/frameworks/comm/logs-listener.bro
rename to doc/frameworks/broker/logs-listener.bro
diff --git a/doc/frameworks/comm/printing-connector.bro b/doc/frameworks/broker/printing-connector.bro
similarity index 100%
rename from doc/frameworks/comm/printing-connector.bro
rename to doc/frameworks/broker/printing-connector.bro
diff --git a/doc/frameworks/comm/printing-listener.bro b/doc/frameworks/broker/printing-listener.bro
similarity index 100%
rename from doc/frameworks/comm/printing-listener.bro
rename to doc/frameworks/broker/printing-listener.bro
diff --git a/doc/frameworks/comm/stores-connector.bro b/doc/frameworks/broker/stores-connector.bro
similarity index 100%
rename from doc/frameworks/comm/stores-connector.bro
rename to doc/frameworks/broker/stores-connector.bro
diff --git a/doc/frameworks/comm/stores-listener.bro b/doc/frameworks/broker/stores-listener.bro
similarity index 100%
rename from doc/frameworks/comm/stores-listener.bro
rename to doc/frameworks/broker/stores-listener.bro
diff --git a/doc/frameworks/comm/testlog.bro b/doc/frameworks/broker/testlog.bro
similarity index 100%
rename from doc/frameworks/comm/testlog.bro
rename to doc/frameworks/broker/testlog.bro
diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst
index 9819b803f0..028f95af21 100644
--- a/doc/frameworks/index.rst
+++ b/doc/frameworks/index.rst
@@ -14,4 +14,4 @@ Frameworks
    notice
    signatures
    sumstats
-   comm
+   broker
diff --git a/scripts/base/frameworks/comm/__load__.bro b/scripts/base/frameworks/broker/__load__.bro
similarity index 100%
rename from scripts/base/frameworks/comm/__load__.bro
rename to scripts/base/frameworks/broker/__load__.bro
diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/broker/main.bro
similarity index 100%
rename from scripts/base/frameworks/comm/main.bro
rename to scripts/base/frameworks/broker/main.bro
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 5dc3345b09..c62549f8b3 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3360,7 +3360,7 @@ const bits_per_uid: count = 96 &redef;
 
 # Load these frameworks here because they use fairly deep integration with
 # BiFs and script-land defined types.
-@load base/frameworks/comm
+@load base/frameworks/broker
 @load base/frameworks/logging
 @load base/frameworks/input
 @load base/frameworks/analyzer
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 974c23c3a3..e73324c4d1 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -162,11 +162,11 @@ add_subdirectory(logging)
 add_subdirectory(probabilistic)
 
 if ( ENABLE_BROKER )
-    add_subdirectory(comm)
+    add_subdirectory(broker)
 else ()
     # Just to satisfy coverage unit tests until new Broker-based
     # communication is enabled by default.
-    add_subdirectory(comm-dummy)
+    add_subdirectory(broker-dummy)
 endif ()
 
 set(bro_SUBDIRS
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 2874c56c03..3f1fd71ddf 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -6,8 +6,8 @@
 #include "NetVar.h"
 
 #ifdef ENABLE_BROKER
-#include "comm/Manager.h"
-#include "comm/Data.h"
+#include "broker/Manager.h"
+#include "broker/Data.h"
 #endif
 
 EventHandler::EventHandler(const char* arg_name)
diff --git a/src/Net.cc b/src/Net.cc
index 820ccd2f76..af542cb1a6 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -35,7 +35,7 @@
 #include "plugin/Manager.h"
 
 #ifdef ENABLE_BROKER
-#include "comm/Manager.h"
+#include "broker/Manager.h"
 #endif
 
 extern "C" {
diff --git a/src/Stats.cc b/src/Stats.cc
index 437fb6de4b..00f603cba7 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -11,7 +11,7 @@
 #include "threading/Manager.h"
 
 #ifdef ENABLE_BROKER
-#include "comm/Manager.h"
+#include "broker/Manager.h"
 #endif
 
 int killed_by_inactivity = 0;
diff --git a/src/comm-dummy/CMakeLists.txt b/src/broker-dummy/CMakeLists.txt
similarity index 73%
rename from src/comm-dummy/CMakeLists.txt
rename to src/broker-dummy/CMakeLists.txt
index cddea1342d..08c5f3214c 100644
--- a/src/comm-dummy/CMakeLists.txt
+++ b/src/broker-dummy/CMakeLists.txt
@@ -9,5 +9,5 @@ bif_target(data.bif)
 bif_target(messaging.bif)
 bif_target(store.bif)
 
-bro_add_subdir_library(comm_dummy ${BIF_OUTPUT_CC})
-add_dependencies(bro_comm_dummy generate_outputs)
+bro_add_subdir_library(broker_dummy ${BIF_OUTPUT_CC})
+add_dependencies(bro_broker_dummy generate_outputs)
diff --git a/src/comm-dummy/comm.bif b/src/broker-dummy/comm.bif
similarity index 100%
rename from src/comm-dummy/comm.bif
rename to src/broker-dummy/comm.bif
diff --git a/src/comm-dummy/data.bif b/src/broker-dummy/data.bif
similarity index 100%
rename from src/comm-dummy/data.bif
rename to src/broker-dummy/data.bif
diff --git a/src/comm-dummy/messaging.bif b/src/broker-dummy/messaging.bif
similarity index 100%
rename from src/comm-dummy/messaging.bif
rename to src/broker-dummy/messaging.bif
diff --git a/src/comm-dummy/store.bif b/src/broker-dummy/store.bif
similarity index 100%
rename from src/comm-dummy/store.bif
rename to src/broker-dummy/store.bif
diff --git a/src/comm/CMakeLists.txt b/src/broker/CMakeLists.txt
similarity index 82%
rename from src/comm/CMakeLists.txt
rename to src/broker/CMakeLists.txt
index ef41c605c7..7329bfd46e 100644
--- a/src/comm/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@@ -24,5 +24,5 @@ bif_target(data.bif)
 bif_target(messaging.bif)
 bif_target(store.bif)
 
-bro_add_subdir_library(comm ${comm_SRCS} ${BIF_OUTPUT_CC})
-add_dependencies(bro_comm generate_outputs)
+bro_add_subdir_library(brokercomm ${comm_SRCS} ${BIF_OUTPUT_CC})
+add_dependencies(bro_brokercomm generate_outputs)
diff --git a/src/comm/Data.cc b/src/broker/Data.cc
similarity index 99%
rename from src/comm/Data.cc
rename to src/broker/Data.cc
index 96377284d1..45f5415b8a 100644
--- a/src/comm/Data.cc
+++ b/src/broker/Data.cc
@@ -1,5 +1,5 @@
 #include "Data.h"
-#include "comm/data.bif.h"
+#include "broker/data.bif.h"
 #include <caf/binary_serializer.hpp>
 #include <caf/binary_deserializer.hpp>
 
diff --git a/src/comm/Data.h b/src/broker/Data.h
similarity index 100%
rename from src/comm/Data.h
rename to src/broker/Data.h
diff --git a/src/comm/Manager.cc b/src/broker/Manager.cc
similarity index 99%
rename from src/comm/Manager.cc
rename to src/broker/Manager.cc
index 3eceba0096..31599ea1fc 100644
--- a/src/comm/Manager.cc
+++ b/src/broker/Manager.cc
@@ -8,10 +8,10 @@
 #include "util.h"
 #include "Var.h"
 #include "Reporter.h"
-#include "comm/comm.bif.h"
-#include "comm/data.bif.h"
-#include "comm/messaging.bif.h"
-#include "comm/store.bif.h"
+#include "broker/comm.bif.h"
+#include "broker/data.bif.h"
+#include "broker/messaging.bif.h"
+#include "broker/store.bif.h"
 #include "logging/Manager.h"
 #include "DebugLogger.h"
 #include "iosource/Manager.h"
diff --git a/src/comm/Manager.h b/src/broker/Manager.h
similarity index 99%
rename from src/comm/Manager.h
rename to src/broker/Manager.h
index 5ba85210db..63fbba074a 100644
--- a/src/comm/Manager.h
+++ b/src/broker/Manager.h
@@ -7,7 +7,7 @@
 #include <string>
 #include <map>
 #include <unordered_set>
-#include "comm/Store.h"
+#include "broker/Store.h"
 #include "Reporter.h"
 #include "iosource/IOSource.h"
 #include "Val.h"
diff --git a/src/comm/Store.cc b/src/broker/Store.cc
similarity index 99%
rename from src/comm/Store.cc
rename to src/broker/Store.cc
index fd24ac7b90..f9effa6d9e 100644
--- a/src/comm/Store.cc
+++ b/src/broker/Store.cc
@@ -1,5 +1,5 @@
 #include "Store.h"
-#include "comm/Manager.h"
+#include "broker/Manager.h"
 
 #include <broker/store/master.hh>
 #include <broker/store/clone.hh>
diff --git a/src/comm/Store.h b/src/broker/Store.h
similarity index 98%
rename from src/comm/Store.h
rename to src/broker/Store.h
index e132bf310d..5823e0c3f8 100644
--- a/src/comm/Store.h
+++ b/src/broker/Store.h
@@ -1,8 +1,8 @@
 #ifndef BRO_COMM_STORE_H
 #define BRO_COMM_STORE_H
 
-#include "comm/store.bif.h"
-#include "comm/data.bif.h"
+#include "broker/store.bif.h"
+#include "broker/data.bif.h"
 #include "Reporter.h"
 #include "Type.h"
 #include "Val.h"
diff --git a/src/comm/comm.bif b/src/broker/comm.bif
similarity index 99%
rename from src/comm/comm.bif
rename to src/broker/comm.bif
index 2c930ba8a9..721f7c259e 100644
--- a/src/comm/comm.bif
+++ b/src/broker/comm.bif
@@ -2,7 +2,7 @@
 ##! General functions regarding Bro's broker communication mechanisms.
 
 %%{
-#include "comm/Manager.h"
+#include "broker/Manager.h"
 %%}
 
 module BrokerComm;
diff --git a/src/comm/data.bif b/src/broker/data.bif
similarity index 99%
rename from src/comm/data.bif
rename to src/broker/data.bif
index 7b2c52cb8c..e34e633e3e 100644
--- a/src/comm/data.bif
+++ b/src/broker/data.bif
@@ -2,7 +2,7 @@
 ##! Functions for inspecting and manipulating broker data.
 
 %%{
-#include "comm/Data.h"
+#include "broker/Data.h"
 %%}
 
 module BrokerComm;
diff --git a/src/comm/messaging.bif b/src/broker/messaging.bif
similarity index 99%
rename from src/comm/messaging.bif
rename to src/broker/messaging.bif
index c1d3bfe774..a5e661af02 100644
--- a/src/comm/messaging.bif
+++ b/src/broker/messaging.bif
@@ -2,7 +2,7 @@
 ##! Functions for peering and various messaging patterns (e.g. print/log/event).
 
 %%{
-#include "comm/Manager.h"
+#include "broker/Manager.h"
 #include "logging/Manager.h"
 %%}
 
diff --git a/src/comm/store.bif b/src/broker/store.bif
similarity index 99%
rename from src/comm/store.bif
rename to src/broker/store.bif
index 4f6c0570f7..6419034b60 100644
--- a/src/comm/store.bif
+++ b/src/broker/store.bif
@@ -2,9 +2,9 @@
 ##! Functions to interface with broker's distributed data store.
 
 %%{
-#include "comm/Manager.h"
-#include "comm/Store.h"
-#include "comm/Data.h"
+#include "broker/Manager.h"
+#include "broker/Store.h"
+#include "broker/Data.h"
 #include "Trigger.h"
 %%}
 
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 63d21a4655..9db43518ed 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -17,7 +17,7 @@
 #include "logging.bif.h"
 
 #ifdef ENABLE_BROKER
-#include "comm/Manager.h"
+#include "broker/Manager.h"
 #endif
 
 using namespace logging;
diff --git a/src/main.cc b/src/main.cc
index d186e67e4b..fb48bdc14a 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -64,7 +64,7 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "3rdparty/sqlite3.h"
 
 #ifdef ENABLE_BROKER
-#include <comm/Manager.h>
+#include "broker/Manager.h"
 #endif
 
 Brofiler brofiler;
diff --git a/testing/btest/Baseline/comm.clone_store/clone.clone.out b/testing/btest/Baseline/broker.clone_store/clone.clone.out
similarity index 100%
rename from testing/btest/Baseline/comm.clone_store/clone.clone.out
rename to testing/btest/Baseline/broker.clone_store/clone.clone.out
diff --git a/testing/btest/Baseline/comm.clone_store/master.master.out b/testing/btest/Baseline/broker.clone_store/master.master.out
similarity index 100%
rename from testing/btest/Baseline/comm.clone_store/master.master.out
rename to testing/btest/Baseline/broker.clone_store/master.master.out
diff --git a/testing/btest/Baseline/comm.connection_updates/recv.recv.out b/testing/btest/Baseline/broker.connection_updates/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/comm.connection_updates/recv.recv.out
rename to testing/btest/Baseline/broker.connection_updates/recv.recv.out
diff --git a/testing/btest/Baseline/comm.connection_updates/send.send.out b/testing/btest/Baseline/broker.connection_updates/send.send.out
similarity index 100%
rename from testing/btest/Baseline/comm.connection_updates/send.send.out
rename to testing/btest/Baseline/broker.connection_updates/send.send.out
diff --git a/testing/btest/Baseline/comm.data/out b/testing/btest/Baseline/broker.data/out
similarity index 100%
rename from testing/btest/Baseline/comm.data/out
rename to testing/btest/Baseline/broker.data/out
diff --git a/testing/btest/Baseline/comm.master_store/master.out b/testing/btest/Baseline/broker.master_store/master.out
similarity index 100%
rename from testing/btest/Baseline/comm.master_store/master.out
rename to testing/btest/Baseline/broker.master_store/master.out
diff --git a/testing/btest/Baseline/comm.remote_event/recv.recv.out b/testing/btest/Baseline/broker.remote_event/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/comm.remote_event/recv.recv.out
rename to testing/btest/Baseline/broker.remote_event/recv.recv.out
diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/broker.remote_event/send.send.out
similarity index 100%
rename from testing/btest/Baseline/comm.remote_event/send.send.out
rename to testing/btest/Baseline/broker.remote_event/send.send.out
diff --git a/testing/btest/Baseline/comm.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/comm.remote_log/recv.recv.out
rename to testing/btest/Baseline/broker.remote_log/recv.recv.out
diff --git a/testing/btest/Baseline/comm.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log
similarity index 100%
rename from testing/btest/Baseline/comm.remote_log/recv.test.log
rename to testing/btest/Baseline/broker.remote_log/recv.test.log
diff --git a/testing/btest/Baseline/comm.remote_log/send.send.out b/testing/btest/Baseline/broker.remote_log/send.send.out
similarity index 100%
rename from testing/btest/Baseline/comm.remote_log/send.send.out
rename to testing/btest/Baseline/broker.remote_log/send.send.out
diff --git a/testing/btest/Baseline/comm.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log
similarity index 100%
rename from testing/btest/Baseline/comm.remote_log/send.test.log
rename to testing/btest/Baseline/broker.remote_log/send.test.log
diff --git a/testing/btest/Baseline/comm.remote_print/recv.recv.out b/testing/btest/Baseline/broker.remote_print/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/comm.remote_print/recv.recv.out
rename to testing/btest/Baseline/broker.remote_print/recv.recv.out
diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/broker.remote_print/send.send.out
similarity index 100%
rename from testing/btest/Baseline/comm.remote_print/send.send.out
rename to testing/btest/Baseline/broker.remote_print/send.send.out
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 7b144198ee..297cd80996 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -14,8 +14,8 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/reporter.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
-  scripts/base/frameworks/comm/__load__.bro
-    scripts/base/frameworks/comm/main.bro
+  scripts/base/frameworks/broker/__load__.bro
+    scripts/base/frameworks/broker/main.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index b102ad26a5..e48f67c348 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -14,8 +14,8 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/reporter.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
-  scripts/base/frameworks/comm/__load__.bro
-    scripts/base/frameworks/comm/main.bro
+  scripts/base/frameworks/broker/__load__.bro
+    scripts/base/frameworks/broker/main.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
similarity index 100%
rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 7c2f35b641..6956f013bc 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -192,7 +192,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -286,8 +286,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -478,8 +478,8 @@
 0.000000   MetaHookPost  LoadFile(base<...>/analyzer) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/analyzer.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/comm) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
@@ -737,7 +737,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -831,8 +831,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -1023,8 +1023,8 @@
 0.000000   MetaHookPre   LoadFile(base<...>/analyzer)
 0.000000   MetaHookPre   LoadFile(base<...>/analyzer.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/broker)
 0.000000   MetaHookPre   LoadFile(base<...>/cluster)
-0.000000   MetaHookPre   LoadFile(base<...>/comm)
 0.000000   MetaHookPre   LoadFile(base<...>/communication)
 0.000000   MetaHookPre   LoadFile(base<...>/conn)
 0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
@@ -1281,7 +1281,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1375,8 +1375,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/broker/clone_store.bro
similarity index 100%
rename from testing/btest/comm/clone_store.bro
rename to testing/btest/broker/clone_store.bro
diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/broker/connection_updates.bro
similarity index 100%
rename from testing/btest/comm/connection_updates.bro
rename to testing/btest/broker/connection_updates.bro
diff --git a/testing/btest/comm/data.bro b/testing/btest/broker/data.bro
similarity index 100%
rename from testing/btest/comm/data.bro
rename to testing/btest/broker/data.bro
diff --git a/testing/btest/comm/master_store.bro b/testing/btest/broker/master_store.bro
similarity index 100%
rename from testing/btest/comm/master_store.bro
rename to testing/btest/broker/master_store.bro
diff --git a/testing/btest/comm/remote_event.test b/testing/btest/broker/remote_event.test
similarity index 100%
rename from testing/btest/comm/remote_event.test
rename to testing/btest/broker/remote_event.test
diff --git a/testing/btest/comm/remote_log.test b/testing/btest/broker/remote_log.test
similarity index 100%
rename from testing/btest/comm/remote_log.test
rename to testing/btest/broker/remote_log.test
diff --git a/testing/btest/comm/remote_print.test b/testing/btest/broker/remote_print.test
similarity index 100%
rename from testing/btest/comm/remote_print.test
rename to testing/btest/broker/remote_print.test
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 3c91872f5a..0fa862a2dc 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -1,5 +1,5 @@
 [btest]
-TestDirs    = doc bifs language core scripts istate coverage signatures plugins comm
+TestDirs    = doc bifs language core scripts istate coverage signatures plugins broker
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
similarity index 100%
rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest
rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest

From 2f626fa602f624e8a1496c489c1108173b7b3724 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 6 Mar 2015 11:07:58 -0600
Subject: [PATCH 094/109] Fix build warnings, clarify broker requirements,
 update submodule.

---
 aux/broker                | 2 +-
 doc/frameworks/broker.rst | 4 ++--
 src/broker/Data.cc        | 2 +-
 src/broker/Manager.cc     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/aux/broker b/aux/broker
index 98da283ba2..694af9d9ed 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 98da283ba2bc4dc20e67830395299defc21724db
+Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 26006089d1..3cd8dab6e3 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -11,8 +11,8 @@ Broker-Enabled Communication Framework
     <../components/broker/README.html>`_ to exchange information with
     other Bro processes.  To enable it run Bro's ``configure`` script
     with the ``--enable-broker`` option.  Note that a C++11 compatible
-    compiler is required as well as the `C++ Actor Framework
-    <http://actor-framework.org/>`_.
+    compiler (e.g. GCC 4.8+ or Clang 3.3+) is required as well as the
+    `C++ Actor Framework <http://actor-framework.org/>`_.
 
 .. contents::
 
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 45f5415b8a..8f66427bb5 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -319,7 +319,7 @@ struct val_converter {
 		auto rt = type->AsRecordType();
 		auto rval = new RecordVal(rt);
 
-		for ( auto i = 0; i < rt->NumFields(); ++i )
+		for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
 			{
 			if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
 				continue;
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 31599ea1fc..eadadea137 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -210,7 +210,7 @@ bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* i
 
 	broker::record column_data;
 
-	for ( auto i = 0u; i < info->NumFields(); ++i )
+	for ( auto i = 0u; i < static_cast<size_t>(info->NumFields()); ++i )
 		{
 		if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) )
 			continue;

From b9fa21156e97c3cb722ed5d04c89cfe994d87336 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 6 Mar 2015 14:55:39 -0800
Subject: [PATCH 095/109] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 aux/broker | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broctl b/aux/broctl
index f7b9ef4d24..762d272229 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f7b9ef4d245114180c5932f362310632b8cf5174
+Subproject commit 762d2722290ca0004d0da2b0b96baea6a3a7f3f4
diff --git a/aux/broker b/aux/broker
index 694af9d9ed..8cc208192b 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada
+Subproject commit 8cc208192b4b692a082e22c8dd89c44f69e824d7

From 7870da9028036dc6c0da028b15a8b5b03db123e9 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 6 Mar 2015 14:59:28 -0800
Subject: [PATCH 096/109] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 8cc208192b..694af9d9ed 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 8cc208192b4b692a082e22c8dd89c44f69e824d7
+Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada

From 867c4379eadb0b75400f0c52e1b82b422e161444 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 9 Mar 2015 13:14:27 -0500
Subject: [PATCH 097/109] Fix a format specifier.

---
 CHANGES                                    | 4 ++++
 VERSION                                    | 2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index d7014fa711..cff111cfca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-529 | 2015-03-09 13:14:27 -0500
+
+  * Fix format specifier in SSL protocol violation. (Jon Siwek)
+
 2.3-526 | 2015-03-06 12:48:49 -0600
 
   * Fix build warnings, clarify broker requirements, update submodule.
diff --git a/VERSION b/VERSION
index 747dc6d532..f5e52782d1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-526
+2.3-529
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 2433886d14..c835fd6632 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -207,7 +207,7 @@ refine connection SSL_Conn += {
 			{
 			// This should be impossible due to the binpac parser
 			// and protocol description
-			bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %lu", length));
+			bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %zu", length));
 			bro_analyzer()->SetSkip(true);
 			return true;
 			}

From cb5902d1addfbf2455bd9c099ffc66e52b69c713 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 10 Mar 2015 13:22:39 -0500
Subject: [PATCH 098/109] Fix broker data stores in absence of --enable-debug.

Oops, put too much inside the assert() macro, so the registering of data
stores got preprocessed out of optimized builds.
---
 CHANGES               |  4 ++++
 VERSION               |  2 +-
 aux/broker            |  2 +-
 src/broker/Manager.cc |  1 +
 src/broker/store.bif  | 14 +++++++++++---
 5 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index cff111cfca..836733370a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-530 | 2015-03-10 13:22:39 -0500
+
+  * Fix broker data stores in absence of --enable-debug. (Jon Siwek)
+
 2.3-529 | 2015-03-09 13:14:27 -0500
 
   * Fix format specifier in SSL protocol violation. (Jon Siwek)
diff --git a/VERSION b/VERSION
index f5e52782d1..4a351a524e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-529
+2.3-530
diff --git a/aux/broker b/aux/broker
index 694af9d9ed..1a49b0e3d2 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada
+Subproject commit 1a49b0e3d23fdfe8da3187dddb310883b641e4a3
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index eadadea137..ae00134af5 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -1038,6 +1038,7 @@ bool bro_broker::Manager::CloseStore(const broker::store::identifier& id,
 	delete it->second->store;
 	it->second->store = nullptr;
 	Unref(it->second);
+	data_stores.erase(it);
 	return true;
 	}
 
diff --git a/src/broker/store.bif b/src/broker/store.bif
index 6419034b60..e63ae522e6 100644
--- a/src/broker/store.bif
+++ b/src/broker/store.bif
@@ -48,7 +48,8 @@ function BrokerStore::create_master%(id: string, b: BackendType &default = MEMOR
 	rval = new bro_broker::StoreHandleVal(id_str, type,
 	                                static_cast<BifEnum::BrokerStore::BackendType>(b->AsEnum()),
 	                                options->AsRecordVal());
-	assert(broker_mgr->AddStore(rval));
+	auto added = broker_mgr->AddStore(rval);
+	assert(added);
 	return rval;
 	%}
 
@@ -92,7 +93,8 @@ function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY
 	                                static_cast<BifEnum::BrokerStore::BackendType>(b->AsEnum()),
 	                                options->AsRecordVal(),
 	                                std::chrono::duration<double>(resync));
-	assert(broker_mgr->AddStore(rval));
+	auto added = broker_mgr->AddStore(rval);
+	assert(added);
 	return rval;
 	%}
 
@@ -115,7 +117,8 @@ function BrokerStore::create_frontend%(id: string%): opaque of BrokerStore::Hand
 		}
 
 	rval = new bro_broker::StoreHandleVal(id_str, type, {}, nullptr);
-	assert(broker_mgr->AddStore(rval));
+	auto added = broker_mgr->AddStore(rval);
+	assert(added);
 	return rval;
 	%}
 
@@ -396,7 +399,12 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 	*handle = static_cast<bro_broker::StoreHandleVal*>(opaque);
 
 	if ( ! (*handle)->store )
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		reporter->Error("BrokerStore query has an invalid data store");
+		reporter->PopLocation();
 		return false;
+		}
 
 	Trigger* trigger = frame->GetTrigger();
 

From 2d82cab9989bda7723b390df3df556e55610eba1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Mar 2015 16:48:38 -0500
Subject: [PATCH 099/109] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 1a49b0e3d2..25cf717eca 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 1a49b0e3d23fdfe8da3187dddb310883b641e4a3
+Subproject commit 25cf717ecad9b3012dbf48a5d5102e89da246753

From 9bb00639bab056f6b257ac815dc1dc8b10f30d39 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 11 Mar 2015 17:01:13 -0500
Subject: [PATCH 100/109] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 25cf717eca..78b8d909fa 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 25cf717ecad9b3012dbf48a5d5102e89da246753
+Subproject commit 78b8d909fadc66dd20ef89bc62b52b4e7c4b6f5f

From 0a31fd7a69779850d14f7123c2f7dc4aa4bcaedf Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 12 Mar 2015 10:16:12 -0500
Subject: [PATCH 101/109] Give broker python bindings default install path
 within --prefix.

---
 CHANGES    | 5 +++++
 VERSION    | 2 +-
 aux/broker | 2 +-
 configure  | 6 ++++++
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 836733370a..c93a21c4d3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.3-533 | 2015-03-12 10:18:53 -0500
+
+  * Give broker python bindings default install path within --prefix.
+    (Jon Siwek)
+
 2.3-530 | 2015-03-10 13:22:39 -0500
 
   * Fix broker data stores in absence of --enable-debug. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 4a351a524e..781ee30b74 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-530
+2.3-533
diff --git a/aux/broker b/aux/broker
index 78b8d909fa..11fd5761a6 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 78b8d909fadc66dd20ef89bc62b52b4e7c4b6f5f
+Subproject commit 11fd5761a651d18d5ab80d7da545a1980c642e6d
diff --git a/configure b/configure
index 3f7295711c..b139ee2bec 100755
--- a/configure
+++ b/configure
@@ -149,6 +149,10 @@ while [ $# -ne 0 ]; do
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
             append_cache_entry BRO_ROOT_DIR         PATH   $optarg
             append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
+
+            if [ -n "$user_enabled_broker" ]; then
+                append_cache_entry BROKER_PYTHON_HOME   PATH   $prefix
+            fi
             ;;
         --scriptdir=*)
             append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg
@@ -189,6 +193,8 @@ while [ $# -ne 0 ]; do
         --enable-broker)
             append_cache_entry ENABLE_CXX11         BOOL   true
             append_cache_entry ENABLE_BROKER        BOOL   true
+            append_cache_entry BROKER_PYTHON_HOME   PATH   $prefix
+            user_enabled_broker="true"
             ;;
         --disable-broccoli)
             append_cache_entry INSTALL_BROCCOLI     BOOL   false

From ccd5387a9fcba63f854b1d19f0b55986d8e89311 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 12 Mar 2015 10:59:49 -0500
Subject: [PATCH 102/109] Update NEWS file.

BIT-1338 #close
---
 CHANGES    |  4 ++++
 NEWS       | 11 +++++++----
 VERSION    |  2 +-
 aux/broker |  2 +-
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index c93a21c4d3..627aade078 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-534 | 2015-03-12 10:59:49 -0500
+
+  * Update NEWS file. (Jon Siwek)
+
 2.3-533 | 2015-03-12 10:18:53 -0500
 
   * Give broker python bindings default install path within --prefix.
diff --git a/NEWS b/NEWS
index ec94bd10fe..50e5ddd265 100644
--- a/NEWS
+++ b/NEWS
@@ -46,11 +46,9 @@ New Functionality
   TODO: Extend with some more information on  Broker.
 
   Broker support is by default off for now; it can be enabled at
-  configure time with --enable-broker. It requires CAF
+  configure time with --enable-broker. It requires CAF version 0.13+
   (https://github.com/actor-framework/actor-framework) as well as a
-  C++11 compiler.
-
-  TODO: Add minumim version for CAF.
+  C++11 compiler (e.g. GCC 4.8+ or Clang 3.3+).
 
   Broker will become a mandatory dependency in future Bro versions.
 
@@ -75,6 +73,11 @@ Changed Functionality
       have been added which contain the same information.  The
       ``mime_type`` field of ``Files::Info`` also still has this info.
 
+    * The earliest point that new mime type information is available is
+      in the ``file_mime_type`` event which comes after the ``file_new``
+      and ``file_over_new_connection`` events.  Scripts which inspected
+      mime type info within those events will need to be adapted.
+
     * Removed ``Files::add_analyzers_for_mime_type`` function.
 
     * Removed ``offset`` parameter of the ``file_extraction_limit``
diff --git a/VERSION b/VERSION
index 781ee30b74..724cf738c6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-533
+2.3-534
diff --git a/aux/broker b/aux/broker
index 11fd5761a6..0aa02aa696 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 11fd5761a651d18d5ab80d7da545a1980c642e6d
+Subproject commit 0aa02aa6964e75de75af08ad71067f29cd8d2641

From b47376b8e4de7cc8f44bd746ceeb51b3e65469b7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 12 Mar 2015 13:09:44 -0500
Subject: [PATCH 103/109] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 0aa02aa696..1a2ab9ee7c 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 0aa02aa6964e75de75af08ad71067f29cd8d2641
+Subproject commit 1a2ab9ee7c80ca905e86a2a11283e7c0477341a9

From c56df225b051edc1a98e23a0917206744d2ab8e3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 12 Mar 2015 16:16:24 -0500
Subject: [PATCH 104/109] Fix Broker leak tests.

Forgot to update Broker module names when they changed.
---
 CHANGES                                       |   4 +
 VERSION                                       |   2 +-
 .../clone.clone.out                           |   5 +
 .../bro..stdout                               |  32 +--
 .../bro..stdout                               |  14 ++
 .../recv.recv.out                             |   0
 .../send.send.out                             |   2 +-
 .../recv.recv.out                             |   0
 .../recv.test.log                             |   0
 .../send.send.out                             |   1 +
 .../send.test.log                             |   0
 .../recv.recv.out                             |   0
 .../send.send.out                             |   2 +-
 .../clone.clone.out                           |   5 -
 .../core.leaks.comm.master_store/bro..stdout  |  14 --
 .../core.leaks.comm.remote_log/send.send.out  |   1 -
 .../btest/core/leaks/broker/clone_store.bro   | 113 +++++++++
 testing/btest/core/leaks/broker/data.bro      | 233 ++++++++++++++++++
 .../leaks/{comm => broker}/master_store.bro   |  46 ++--
 .../leaks/{comm => broker}/remote_event.test  |  32 +--
 .../leaks/{comm => broker}/remote_log.test    |  16 +-
 .../leaks/{comm => broker}/remote_print.test  |  28 +--
 testing/btest/core/leaks/comm/clone_store.bro | 113 ---------
 testing/btest/core/leaks/comm/data.bro        | 233 ------------------
 24 files changed, 450 insertions(+), 446 deletions(-)
 create mode 100644 testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
 rename testing/btest/Baseline/{core.leaks.comm.data => core.leaks.broker.data}/bro..stdout (73%)
 create mode 100644 testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
 rename testing/btest/Baseline/{core.leaks.comm.remote_event => core.leaks.broker.remote_event}/recv.recv.out (100%)
 rename testing/btest/Baseline/{core.leaks.comm.remote_event => core.leaks.broker.remote_event}/send.send.out (79%)
 rename testing/btest/Baseline/{core.leaks.comm.remote_log => core.leaks.broker.remote_log}/recv.recv.out (100%)
 rename testing/btest/Baseline/{core.leaks.comm.remote_log => core.leaks.broker.remote_log}/recv.test.log (100%)
 create mode 100644 testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
 rename testing/btest/Baseline/{core.leaks.comm.remote_log => core.leaks.broker.remote_log}/send.test.log (100%)
 rename testing/btest/Baseline/{core.leaks.comm.remote_print => core.leaks.broker.remote_print}/recv.recv.out (100%)
 rename testing/btest/Baseline/{core.leaks.comm.remote_print => core.leaks.broker.remote_print}/send.send.out (62%)
 delete mode 100644 testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
 delete mode 100644 testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
 delete mode 100644 testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
 create mode 100644 testing/btest/core/leaks/broker/clone_store.bro
 create mode 100644 testing/btest/core/leaks/broker/data.bro
 rename testing/btest/core/leaks/{comm => broker}/master_store.bro (62%)
 rename testing/btest/core/leaks/{comm => broker}/remote_event.test (66%)
 rename testing/btest/core/leaks/{comm => broker}/remote_log.test (80%)
 rename testing/btest/core/leaks/{comm => broker}/remote_print.test (65%)
 delete mode 100644 testing/btest/core/leaks/comm/clone_store.bro
 delete mode 100644 testing/btest/core/leaks/comm/data.bro

diff --git a/CHANGES b/CHANGES
index 627aade078..926b30c9c0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-536 | 2015-03-12 16:16:24 -0500
+
+  * Fix Broker leak tests. (Jon Siwek)
+
 2.3-534 | 2015-03-12 10:59:49 -0500
 
   * Update NEWS file. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 724cf738c6..c168eac2bd 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-534
+2.3-536
diff --git a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
new file mode 100644
index 0000000000..017537fea9
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
@@ -0,0 +1,5 @@
+clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
+lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
+lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
+lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
diff --git a/testing/btest/Baseline/core.leaks.comm.data/bro..stdout b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
similarity index 73%
rename from testing/btest/Baseline/core.leaks.comm.data/bro..stdout
rename to testing/btest/Baseline/core.leaks.broker.data/bro..stdout
index eea78d39a2..628870144a 100644
--- a/testing/btest/Baseline/core.leaks.comm.data/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
@@ -1,18 +1,18 @@
-Comm::BOOL
-Comm::INT
-Comm::COUNT
-Comm::DOUBLE
-Comm::STRING
-Comm::ADDR
-Comm::SUBNET
-Comm::PORT
-Comm::TIME
-Comm::INTERVAL
-Comm::ENUM
-Comm::SET
-Comm::TABLE
-Comm::VECTOR
-Comm::RECORD
+BrokerComm::BOOL
+BrokerComm::INT
+BrokerComm::COUNT
+BrokerComm::DOUBLE
+BrokerComm::STRING
+BrokerComm::ADDR
+BrokerComm::SUBNET
+BrokerComm::PORT
+BrokerComm::TIME
+BrokerComm::INTERVAL
+BrokerComm::ENUM
+BrokerComm::SET
+BrokerComm::TABLE
+BrokerComm::VECTOR
+BrokerComm::RECORD
 ***************************
 T
 F
@@ -29,7 +29,7 @@ hello
 22/tcp
 42.0
 180.0
-Comm::BOOL
+BrokerComm::BOOL
 ***************************
 {
 two,
diff --git a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
new file mode 100644
index 0000000000..4208503151
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
@@ -0,0 +1,14 @@
+lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
+lookup(four): [status=BrokerStore::SUCCESS, result=[d=<uninitialized>]]
+lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
+lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
+exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
+exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
+exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
+pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]]
+pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]]
+keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
+size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]]
+size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_event/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out
rename to testing/btest/Baseline/core.leaks.broker.remote_event/recv.recv.out
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
similarity index 79%
rename from testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out
rename to testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
index 0e529e08fc..a29c1ecd1e 100644
--- a/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
@@ -1,4 +1,4 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out
rename to testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
similarity index 100%
rename from testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log
rename to testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
new file mode 100644
index 0000000000..d97ef33af1
--- /dev/null
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
@@ -0,0 +1 @@
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
similarity index 100%
rename from testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log
rename to testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out
rename to testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
similarity index 62%
rename from testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out
rename to testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
index 777afdc0d2..65d8ee79b7 100644
--- a/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
@@ -1,4 +1,4 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got print msg, pong 0
 got print msg, pong 1
 got print msg, pong 2
diff --git a/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
deleted file mode 100644
index 8a7c89a19b..0000000000
--- a/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
+++ /dev/null
@@ -1,5 +0,0 @@
-clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]]
-lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]]
-lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
diff --git a/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
deleted file mode 100644
index defdc9a3e1..0000000000
--- a/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
+++ /dev/null
@@ -1,14 +0,0 @@
-lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]]
-lookup(four): [status=Store::SUCCESS, result=[d=<uninitialized>]]
-lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]]
-exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]]
-pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]]
-pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]]
-keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=Store::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
deleted file mode 100644
index e2415290d6..0000000000
--- a/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
+++ /dev/null
@@ -1 +0,0 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
new file mode 100644
index 0000000000..06df81e1d5
--- /dev/null
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -0,0 +1,113 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leak
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
+
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
+
+@TEST-START-FILE clone.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of BrokerStore::Handle;
+global expected_key_count = 4;
+global key_count = 0;
+
+function do_lookup(key: string)
+	{
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		if ( key_count == expected_key_count )
+			terminate();
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event ready()
+	{
+	h = BrokerStore::create_clone("mystore");
+
+	when ( local res = BrokerStore::keys(h) )
+		{
+		print "clone keys", res;
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
+		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
+		}
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
+	BrokerComm::subscribe_to_events("bro/event/ready");
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE master.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global h: opaque of BrokerStore::Handle;
+
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
+	{
+	local rval: BrokerComm::DataVector;
+	rval[0] = d;
+	return rval;
+	}
+
+global ready: event();
+
+event BrokerComm::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event BrokerComm::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+
+	when ( local res = BrokerStore::size(h) )
+		{ event ready(); }
+	timeout 10sec
+		{ print "timeout"; }
+	}
+
+event bro_init()
+	{
+	BrokerComm::enable();
+	h = BrokerStore::create_master("mystore");
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::auto_event("bro/event/ready", ready);
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
new file mode 100644
index 0000000000..d4f6402ae3
--- /dev/null
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -0,0 +1,233 @@
+# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+# @TEST-GROUP: leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff bro/.stdout
+
+type bro_set: set[string];
+type bro_table: table[string] of count;
+type bro_vector: vector of string;
+
+type bro_record : record {
+	a: string &optional;
+	b: string &default = "bee";
+	c: count;
+};
+
+function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator,
+                                           rval: bro_record,
+                                           idx: count): bro_record
+	{
+	if ( BrokerComm::record_iterator_last(it) )
+		return rval;
+
+	local field_value = BrokerComm::record_iterator_value(it);
+
+	if ( field_value?$d )
+		switch ( idx ) {
+		case 0:
+			rval$a = BrokerComm::refine_to_string(field_value);
+			break;
+		case 1:
+			rval$b = BrokerComm::refine_to_string(field_value);
+			break;
+		case 2:
+			rval$c = BrokerComm::refine_to_count(field_value);
+			break;
+		};
+
+	++idx;
+	BrokerComm::record_iterator_next(it);
+	return comm_record_to_bro_record_recurse(it, rval, idx);
+	}
+
+function comm_record_to_bro_record(d: BrokerComm::Data): bro_record
+	{
+	return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d),
+	                                         bro_record($c = 0), 0);
+	}
+
+function
+comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator,
+                            rval: bro_set): bro_set
+	{
+	if ( BrokerComm::set_iterator_last(it) )
+		return rval;
+
+	add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))];
+	BrokerComm::set_iterator_next(it);
+	return comm_set_to_bro_set_recurse(it, rval);
+	}
+
+
+function comm_set_to_bro_set(d: BrokerComm::Data): bro_set
+	{
+	return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set());
+	}
+
+function
+comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator,
+                                rval: bro_table): bro_table
+	{
+	if ( BrokerComm::table_iterator_last(it) )
+		return rval;
+
+	local item = BrokerComm::table_iterator_value(it);
+	rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val);
+	BrokerComm::table_iterator_next(it);
+	return comm_table_to_bro_table_recurse(it, rval);
+	}
+
+function comm_table_to_bro_table(d: BrokerComm::Data): bro_table
+	{
+	return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d),
+	                                       bro_table());
+	}
+
+function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator,
+                                           rval: bro_vector): bro_vector
+	{
+	if ( BrokerComm::vector_iterator_last(it) )
+		return rval;
+
+	rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it));
+	BrokerComm::vector_iterator_next(it);
+	return comm_vector_to_bro_vector_recurse(it, rval);
+	}
+
+function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector
+	{
+	return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d),
+	                                         bro_vector());
+	}
+
+event bro_init()
+	{
+BrokerComm::enable();
+	}
+
+global did_it = F;
+
+event new_connection(c: connection)
+	{
+if ( did_it ) return;
+did_it = T;
+print BrokerComm::data_type(BrokerComm::data(T));
+print BrokerComm::data_type(BrokerComm::data(+1));
+print BrokerComm::data_type(BrokerComm::data(1));
+print BrokerComm::data_type(BrokerComm::data(1.1));
+print BrokerComm::data_type(BrokerComm::data("1 (how creative)"));
+print BrokerComm::data_type(BrokerComm::data(1.1.1.1));
+print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1));
+print BrokerComm::data_type(BrokerComm::data(1/udp));
+print BrokerComm::data_type(BrokerComm::data(double_to_time(1)));
+print BrokerComm::data_type(BrokerComm::data(1sec));
+print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL));
+local s: bro_set = bro_set("one", "two", "three");
+local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
+local v: bro_vector = bro_vector("zero", "one", "two");
+local r: bro_record = bro_record($c = 1);
+print BrokerComm::data_type(BrokerComm::data(s));
+print BrokerComm::data_type(BrokerComm::data(t));
+print BrokerComm::data_type(BrokerComm::data(v));
+print BrokerComm::data_type(BrokerComm::data(r));
+
+print "***************************";
+
+print BrokerComm::refine_to_bool(BrokerComm::data(T));
+print BrokerComm::refine_to_bool(BrokerComm::data(F));
+print BrokerComm::refine_to_int(BrokerComm::data(+1));
+print BrokerComm::refine_to_int(BrokerComm::data(+0));
+print BrokerComm::refine_to_int(BrokerComm::data(-1));
+print BrokerComm::refine_to_count(BrokerComm::data(1));
+print BrokerComm::refine_to_count(BrokerComm::data(0));
+print BrokerComm::refine_to_double(BrokerComm::data(1.1));
+print BrokerComm::refine_to_double(BrokerComm::data(-11.1));
+print BrokerComm::refine_to_string(BrokerComm::data("hello"));
+print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4));
+print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16));
+print BrokerComm::refine_to_port(BrokerComm::data(22/tcp));
+print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42)));
+print BrokerComm::refine_to_interval(BrokerComm::data(3min));
+print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL));
+
+print "***************************";
+
+local cs = BrokerComm::data(s);
+print comm_set_to_bro_set(cs);
+cs = BrokerComm::set_create();
+print BrokerComm::set_size(cs);
+print BrokerComm::set_insert(cs, BrokerComm::data("hi"));
+print BrokerComm::set_size(cs);
+print BrokerComm::set_contains(cs, BrokerComm::data("hi"));
+print BrokerComm::set_contains(cs, BrokerComm::data("bye"));
+print BrokerComm::set_insert(cs, BrokerComm::data("bye"));
+print BrokerComm::set_size(cs);
+print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
+print BrokerComm::set_size(cs);
+print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
+print comm_set_to_bro_set(cs);
+BrokerComm::set_clear(cs);
+print BrokerComm::set_size(cs);
+
+print "***************************";
+
+local ct = BrokerComm::data(t);
+print comm_table_to_bro_table(ct);
+ct = BrokerComm::table_create();
+print BrokerComm::table_size(ct);
+print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42));
+print BrokerComm::table_size(ct);
+print BrokerComm::table_contains(ct, BrokerComm::data("hi"));
+print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi")));
+print BrokerComm::table_contains(ct, BrokerComm::data("bye"));
+print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7));
+print BrokerComm::table_size(ct);
+print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37));
+print BrokerComm::table_size(ct);
+print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye")));
+print BrokerComm::table_remove(ct, BrokerComm::data("hi"));
+print BrokerComm::table_size(ct);
+
+print "***************************";
+
+local cv = BrokerComm::data(v);
+print comm_vector_to_bro_vector(cv);
+cv = BrokerComm::vector_create();
+print BrokerComm::vector_size(cv);
+print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0);
+print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1);
+print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2);
+print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1);
+print comm_vector_to_bro_vector(cv);
+print BrokerComm::vector_size(cv);
+print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2);
+print BrokerComm::vector_lookup(cv, 2);
+print BrokerComm::vector_lookup(cv, 0);
+print comm_vector_to_bro_vector(cv);
+print BrokerComm::vector_remove(cv, 2);
+print comm_vector_to_bro_vector(cv);
+print BrokerComm::vector_size(cv);
+
+print "***************************";
+
+local cr = BrokerComm::data(r);
+print comm_record_to_bro_record(cr);
+r$a = "test";
+cr = BrokerComm::data(r);
+print comm_record_to_bro_record(cr);
+r$b = "testagain";
+cr = BrokerComm::data(r);
+print comm_record_to_bro_record(cr);
+cr = BrokerComm::record_create(3);
+print BrokerComm::record_size(cr);
+print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0);
+print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1);
+print BrokerComm::record_assign(cr, BrokerComm::data(37), 2);
+print BrokerComm::record_lookup(cr, 0);
+print BrokerComm::record_lookup(cr, 1);
+print BrokerComm::record_lookup(cr, 2);
+print BrokerComm::record_size(cr);
+}
diff --git a/testing/btest/core/leaks/comm/master_store.bro b/testing/btest/core/leaks/broker/master_store.bro
similarity index 62%
rename from testing/btest/core/leaks/comm/master_store.bro
rename to testing/btest/core/leaks/broker/master_store.bro
index a5c1063e6f..19c63236f5 100644
--- a/testing/btest/core/leaks/comm/master_store.bro
+++ b/testing/btest/core/leaks/broker/master_store.bro
@@ -8,7 +8,7 @@
 
 redef exit_only_after_terminate = T;
 
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global lookup_count = 0;
 const lookup_expect_count = 5;
 global exists_count = 0;
@@ -20,13 +20,13 @@ global test_size: event(where: string &default = "");
 
 event test_clear()
 	{
-	Store::clear(h);
+	BrokerStore::clear(h);
 	event test_size("after clear");
 	}
 
 event test_size(where: string)
 	{
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{
 		if ( where == "" )
 			{
@@ -45,7 +45,7 @@ event test_size(where: string)
 
 event test_keys()
 	{
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print fmt("keys: %s", res);
 		event test_size();
@@ -56,7 +56,7 @@ event test_keys()
 
 event test_pop(key: string)
 	{
-	when ( local lres = Store::pop_left(h, Comm::data(key)) )
+	when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) )
 		{
 		print fmt("pop_left(%s): %s", key, lres);
 		++pop_count;
@@ -67,7 +67,7 @@ event test_pop(key: string)
 	timeout 10sec
 		{ print "timeout"; }
 
-	when ( local rres = Store::pop_right(h, Comm::data(key)) )
+	when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) )
 		{
 		print fmt("pop_right(%s): %s", key, rres);
 		++pop_count;
@@ -81,7 +81,7 @@ event test_pop(key: string)
 
 function do_exists(key: string)
 	{
-	when ( local res = Store::exists(h, Comm::data(key)) )
+	when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) )
 		{
 		print fmt("exists(%s): %s", key, res);
 		++exists_count;
@@ -95,7 +95,7 @@ function do_exists(key: string)
 
 event test_erase()
 	{
-	Store::erase(h, Comm::data("two"));
+	BrokerStore::erase(h, BrokerComm::data("two"));
 	do_exists("one");
 	do_exists("two");
 	do_exists("myset");
@@ -104,7 +104,7 @@ event test_erase()
 
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		print fmt("lookup(%s): %s", key, res);
 		++lookup_count;
@@ -116,9 +116,9 @@ function do_lookup(key: string)
 		{ print "timeout"; }
 	}
 
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
@@ -127,8 +127,8 @@ global did_it = F;
 
 event bro_init()
 	{
-	Comm::enable();
-	h = Store::create_master("master");
+	BrokerComm::enable();
+	h = BrokerStore::create_master("master");
 	}
 
 event new_connection(c: connection)
@@ -137,16 +137,16 @@ event new_connection(c: connection)
 	did_it = T;
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
+	BrokerStore::increment(h, BrokerComm::data("one"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 	do_lookup("one");
 	do_lookup("two");
 	do_lookup("myset");
diff --git a/testing/btest/core/leaks/comm/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
similarity index 66%
rename from testing/btest/core/leaks/comm/remote_event.test
rename to testing/btest/core/leaks/broker/remote_event.test
index a329b527db..243d3b04d3 100644
--- a/testing/btest/core/leaks/comm/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -20,10 +20,10 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_events("bro/event/");
-	Comm::auto_event("bro/event/my_topic", auto_event_handler);
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
+	BrokerComm::subscribe_to_events("bro/event/");
+	BrokerComm::auto_event("bro/event/my_topic", auto_event_handler);
 	}
 
 global event_count = 0;
@@ -41,8 +41,8 @@ event event_handler(msg: string, n: count)
 		}
 
 	event auto_event_handler(msg, n);
-	local args = Comm::event_args(event_handler, "pong", n);
-	Comm::event("bro/event/my_topic", args);
+	local args = BrokerComm::event_args(event_handler, "pong", n);
+	BrokerComm::event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -57,24 +57,24 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_events("bro/event/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_events("bro/event/my_topic");
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global event_count = 0;
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
-	local args = Comm::event_args(event_handler, "ping", event_count);
-	Comm::event("bro/event/hi", args);
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
+	local args = BrokerComm::event_args(event_handler, "ping", event_count);
+	BrokerComm::event("bro/event/hi", args);
 	++event_count;
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
@@ -83,8 +83,8 @@ event Comm::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = Comm::event_args(event_handler, "ping", event_count);
-    Comm::event("bro/event/hi", args);
+	local args = BrokerComm::event_args(event_handler, "ping", event_count);
+    BrokerComm::event("bro/event/hi", args);
 	++event_count;
 	}
 
diff --git a/testing/btest/core/leaks/comm/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
similarity index 80%
rename from testing/btest/core/leaks/comm/remote_log.test
rename to testing/btest/core/leaks/broker/remote_log.test
index 6f20bf8cd4..f6c0c41fda 100644
--- a/testing/btest/core/leaks/comm/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -29,7 +29,7 @@ export {
 
 event bro_init() &priority=5
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
 
@@ -42,8 +42,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_logs("bro/log/");
+	BrokerComm::listen(broker_port, "127.0.0.1");
+	BrokerComm::subscribe_to_logs("bro/log/");
 	}
 
 event Test::log_test(rec: Test::Info)
@@ -63,8 +63,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable_remote_logs(Test::LOG);
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global n = 0;
@@ -81,15 +81,15 @@ event do_write()
 		}
 	}
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
 	event do_write();
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/core/leaks/comm/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
similarity index 65%
rename from testing/btest/core/leaks/comm/remote_print.test
rename to testing/btest/core/leaks/broker/remote_print.test
index 43fe50b632..e77881c694 100644
--- a/testing/btest/core/leaks/comm/remote_print.test
+++ b/testing/btest/core/leaks/broker/remote_print.test
@@ -17,16 +17,16 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_prints("bro/print/");
+	BrokerComm::enable();
+	BrokerComm::listen(broker_port, "127.0.0.1");
+	BrokerComm::subscribe_to_prints("bro/print/");
 	}
 
 global messages_to_recv = 6;
 global messages_sent = 0;
 global messages_recv = 0;
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
@@ -37,7 +37,7 @@ event Comm::print_handler(msg: string)
 		return;
 		}
 
-	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -50,35 +50,35 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Comm::enable();
-	Comm::subscribe_to_prints("bro/print/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::enable();
+	BrokerComm::subscribe_to_prints("bro/print/my_topic");
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global messages_sent = 0;
 global messages_recv = 0;
 global peer_disconnected = F;
 
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
+	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
diff --git a/testing/btest/core/leaks/comm/clone_store.bro b/testing/btest/core/leaks/comm/clone_store.bro
deleted file mode 100644
index 2a75bfa62f..0000000000
--- a/testing/btest/core/leaks/comm/clone_store.bro
+++ /dev/null
@@ -1,113 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
-# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
-
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
-
-# @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
-
-@TEST-START-FILE clone.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Store::Handle;
-global expected_key_count = 4;
-global key_count = 0;
-
-function do_lookup(key: string)
-	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
-		{
-		++key_count;
-		print "lookup", key, res;
-
-		if ( key_count == expected_key_count )
-			terminate();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event ready()
-	{
-	h = Store::create_clone("mystore");
-
-	when ( local res = Store::keys(h) )
-		{
-		print "clone keys", res;
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
-		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event bro_init()
-	{
-	Comm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_events("bro/event/ready");
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE master.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Store::Handle;
-
-function dv(d: Comm::Data): Comm::DataVector
-	{
-	local rval: Comm::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-global ready: event();
-
-event Comm::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Comm::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Store::insert(h, Comm::data("one"), Comm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
-	Store::increment(h, Comm::data("one"));
-	Store::decrement(h, Comm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
-
-	when ( local res = Store::size(h) )
-		{ event ready(); }
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event bro_init()
-	{
-	Comm::enable();
-	h = Store::create_master("mystore");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
-	Comm::auto_event("bro/event/ready", ready);
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/leaks/comm/data.bro b/testing/btest/core/leaks/comm/data.bro
deleted file mode 100644
index bf614a2092..0000000000
--- a/testing/btest/core/leaks/comm/data.bro
+++ /dev/null
@@ -1,233 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
-# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leaks
-
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: btest-diff bro/.stdout
-
-type bro_set: set[string];
-type bro_table: table[string] of count;
-type bro_vector: vector of string;
-
-type bro_record : record {
-	a: string &optional;
-	b: string &default = "bee";
-	c: count;
-};
-
-function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator,
-                                           rval: bro_record,
-                                           idx: count): bro_record
-	{
-	if ( Comm::record_iterator_last(it) )
-		return rval;
-
-	local field_value = Comm::record_iterator_value(it);
-
-	if ( field_value?$d )
-		switch ( idx ) {
-		case 0:
-			rval$a = Comm::refine_to_string(field_value);
-			break;
-		case 1:
-			rval$b = Comm::refine_to_string(field_value);
-			break;
-		case 2:
-			rval$c = Comm::refine_to_count(field_value);
-			break;
-		};
-
-	++idx;
-	Comm::record_iterator_next(it);
-	return comm_record_to_bro_record_recurse(it, rval, idx);
-	}
-
-function comm_record_to_bro_record(d: Comm::Data): bro_record
-	{
-	return comm_record_to_bro_record_recurse(Comm::record_iterator(d),
-	                                         bro_record($c = 0), 0);
-	}
-
-function
-comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator,
-                            rval: bro_set): bro_set
-	{
-	if ( Comm::set_iterator_last(it) )
-		return rval;
-
-	add rval[Comm::refine_to_string(Comm::set_iterator_value(it))];
-	Comm::set_iterator_next(it);
-	return comm_set_to_bro_set_recurse(it, rval);
-	}
-
-
-function comm_set_to_bro_set(d: Comm::Data): bro_set
-	{
-	return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set());
-	}
-
-function
-comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator,
-                                rval: bro_table): bro_table
-	{
-	if ( Comm::table_iterator_last(it) )
-		return rval;
-
-	local item = Comm::table_iterator_value(it);
-	rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val);
-	Comm::table_iterator_next(it);
-	return comm_table_to_bro_table_recurse(it, rval);
-	}
-
-function comm_table_to_bro_table(d: Comm::Data): bro_table
-	{
-	return comm_table_to_bro_table_recurse(Comm::table_iterator(d),
-	                                       bro_table());
-	}
-
-function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator,
-                                           rval: bro_vector): bro_vector
-	{
-	if ( Comm::vector_iterator_last(it) )
-		return rval;
-
-	rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it));
-	Comm::vector_iterator_next(it);
-	return comm_vector_to_bro_vector_recurse(it, rval);
-	}
-
-function comm_vector_to_bro_vector(d: Comm::Data): bro_vector
-	{
-	return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d),
-	                                         bro_vector());
-	}
-
-event bro_init()
-	{
-Comm::enable();
-	}
-
-global did_it = F;
-
-event new_connection(c: connection)
-	{
-if ( did_it ) return;
-did_it = T;
-print Comm::data_type(Comm::data(T));
-print Comm::data_type(Comm::data(+1));
-print Comm::data_type(Comm::data(1));
-print Comm::data_type(Comm::data(1.1));
-print Comm::data_type(Comm::data("1 (how creative)"));
-print Comm::data_type(Comm::data(1.1.1.1));
-print Comm::data_type(Comm::data(1.1.1.1/1));
-print Comm::data_type(Comm::data(1/udp));
-print Comm::data_type(Comm::data(double_to_time(1)));
-print Comm::data_type(Comm::data(1sec));
-print Comm::data_type(Comm::data(Comm::BOOL));
-local s: bro_set = bro_set("one", "two", "three");
-local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
-local v: bro_vector = bro_vector("zero", "one", "two");
-local r: bro_record = bro_record($c = 1);
-print Comm::data_type(Comm::data(s));
-print Comm::data_type(Comm::data(t));
-print Comm::data_type(Comm::data(v));
-print Comm::data_type(Comm::data(r));
-
-print "***************************";
-
-print Comm::refine_to_bool(Comm::data(T));
-print Comm::refine_to_bool(Comm::data(F));
-print Comm::refine_to_int(Comm::data(+1));
-print Comm::refine_to_int(Comm::data(+0));
-print Comm::refine_to_int(Comm::data(-1));
-print Comm::refine_to_count(Comm::data(1));
-print Comm::refine_to_count(Comm::data(0));
-print Comm::refine_to_double(Comm::data(1.1));
-print Comm::refine_to_double(Comm::data(-11.1));
-print Comm::refine_to_string(Comm::data("hello"));
-print Comm::refine_to_addr(Comm::data(1.2.3.4));
-print Comm::refine_to_subnet(Comm::data(192.168.1.1/16));
-print Comm::refine_to_port(Comm::data(22/tcp));
-print Comm::refine_to_time(Comm::data(double_to_time(42)));
-print Comm::refine_to_interval(Comm::data(3min));
-print Comm::refine_to_enum_name(Comm::data(Comm::BOOL));
-
-print "***************************";
-
-local cs = Comm::data(s);
-print comm_set_to_bro_set(cs);
-cs = Comm::set_create();
-print Comm::set_size(cs);
-print Comm::set_insert(cs, Comm::data("hi"));
-print Comm::set_size(cs);
-print Comm::set_contains(cs, Comm::data("hi"));
-print Comm::set_contains(cs, Comm::data("bye"));
-print Comm::set_insert(cs, Comm::data("bye"));
-print Comm::set_size(cs);
-print Comm::set_remove(cs, Comm::data("hi"));
-print Comm::set_size(cs);
-print Comm::set_remove(cs, Comm::data("hi"));
-print comm_set_to_bro_set(cs);
-Comm::set_clear(cs);
-print Comm::set_size(cs);
-
-print "***************************";
-
-local ct = Comm::data(t);
-print comm_table_to_bro_table(ct);
-ct = Comm::table_create();
-print Comm::table_size(ct);
-print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42));
-print Comm::table_size(ct);
-print Comm::table_contains(ct, Comm::data("hi"));
-print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi")));
-print Comm::table_contains(ct, Comm::data("bye"));
-print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7));
-print Comm::table_size(ct);
-print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37));
-print Comm::table_size(ct);
-print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye")));
-print Comm::table_remove(ct, Comm::data("hi"));
-print Comm::table_size(ct);
-
-print "***************************";
-
-local cv = Comm::data(v);
-print comm_vector_to_bro_vector(cv);
-cv = Comm::vector_create();
-print Comm::vector_size(cv);
-print Comm::vector_insert(cv, Comm::data("hi"), 0);
-print Comm::vector_insert(cv, Comm::data("hello"), 1);
-print Comm::vector_insert(cv, Comm::data("greetings"), 2);
-print Comm::vector_insert(cv, Comm::data("salutations"), 1);
-print comm_vector_to_bro_vector(cv);
-print Comm::vector_size(cv);
-print Comm::vector_replace(cv, Comm::data("bah"), 2);
-print Comm::vector_lookup(cv, 2);
-print Comm::vector_lookup(cv, 0);
-print comm_vector_to_bro_vector(cv);
-print Comm::vector_remove(cv, 2);
-print comm_vector_to_bro_vector(cv);
-print Comm::vector_size(cv);
-
-print "***************************";
-
-local cr = Comm::data(r);
-print comm_record_to_bro_record(cr);
-r$a = "test";
-cr = Comm::data(r);
-print comm_record_to_bro_record(cr);
-r$b = "testagain";
-cr = Comm::data(r);
-print comm_record_to_bro_record(cr);
-cr = Comm::record_create(3);
-print Comm::record_size(cr);
-print Comm::record_assign(cr, Comm::data("hi"), 0);
-print Comm::record_assign(cr, Comm::data("hello"), 1);
-print Comm::record_assign(cr, Comm::data(37), 2);
-print Comm::record_lookup(cr, 0);
-print Comm::record_lookup(cr, 1);
-print Comm::record_lookup(cr, 2);
-print Comm::record_size(cr);
-}

From 51010eccd4d2746571ae95979a6058d8ee29b3da Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Mar 2015 13:00:29 -0500
Subject: [PATCH 105/109] Add Connection class getter methods for flow labels.

BIT-1309 #close
---
 src/Conn.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Conn.h b/src/Conn.h
index 966c77a9f8..20e60d2617 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -263,6 +263,9 @@ public:
 
 	void CheckFlowLabel(bool is_orig, uint32 flow_label);
 
+	uint32 GetOrigFlowLabel() { return orig_flow_label; }
+	uint32 GetRespFlowLabel() { return resp_flow_label; }
+
 protected:
 
 	Connection()	{ persistent = 0; }

From 6fbceb6a987ebbee0321712217f7c4e4d5e52a48 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Mar 2015 13:01:57 -0500
Subject: [PATCH 106/109] Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP.

BIT-1311 #close
---
 NEWS                                                     | 3 +++
 src/Sessions.cc                                          | 6 +++++-
 src/TunnelEncapsulation.h                                | 9 ++++++---
 src/types.bif                                            | 1 +
 .../btest/Baseline/core.tunnels.gre-in-gre/tunnel.log    | 4 ++--
 testing/btest/Baseline/core.tunnels.gre/tunnel.log       | 2 +-
 6 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/NEWS b/NEWS
index 50e5ddd265..981af20370 100644
--- a/NEWS
+++ b/NEWS
@@ -94,6 +94,9 @@ Changed Functionality
 - conn.log gained a new field local_resp that works like local_orig,
   just for the responder address of the connection.
 
+- GRE tunnels are now identified as ``Tunnel::GRE`` instead of
+  ``Tunnel::IP``.
+
 - [TODO] Add changed BroControl features.
 
 Deprecated Functionality
diff --git a/src/Sessions.cc b/src/Sessions.cc
index ffc2baf944..086216e93d 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -466,6 +466,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	id.src_addr = ip_hdr->SrcAddr();
 	id.dst_addr = ip_hdr->DstAddr();
 	Dictionary* d = 0;
+	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
 
 	switch ( proto ) {
 	case IPPROTO_TCP:
@@ -606,6 +607,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 		// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
 		// that GRE header is stripped and only payload packet remains.
+		// The only thing different is the tunnel type enum value to use.
+		tunnel_type = BifEnum::Tunnel::GRE;
 		}
 
 	case IPPROTO_IPV4:
@@ -653,7 +656,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 		if ( it == ip_tunnels.end() )
 			{
-			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr());
+			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(),
+			                     tunnel_type);
 			ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time);
 			timer_mgr->Add(new IPTunnelTimer(network_time, tunnel_idx));
 			}
diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h
index 23f8966ee7..419a3000b4 100644
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@@ -37,10 +37,12 @@ public:
 	 *
 	 * @param s The tunnel source address, likely taken from an IP header.
 	 * @param d The tunnel destination address, likely taken from an IP header.
+	 * @param t The type of IP tunnel.
 	 */
-	EncapsulatingConn(const IPAddr& s, const IPAddr& d)
+	EncapsulatingConn(const IPAddr& s, const IPAddr& d,
+	                  BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP)
 		: src_addr(s), dst_addr(d), src_port(0), dst_port(0),
-		  proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP),
+		  proto(TRANSPORT_UNKNOWN), type(t),
 		  uid(Bro::UID(bits_per_uid))
 		{
 		}
@@ -85,7 +87,8 @@ public:
 		if ( ec1.type != ec2.type )
 			return false;
 
-		if ( ec1.type == BifEnum::Tunnel::IP )
+		if ( ec1.type == BifEnum::Tunnel::IP ||
+		     ec1.type == BifEnum::Tunnel::GRE )
 			// Reversing endpoints is still same tunnel.
 			return ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
 			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
diff --git a/src/types.bif b/src/types.bif
index 99df67c9d5..73443a3fd7 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -172,6 +172,7 @@ enum Type %{
 	SOCKS,
 	GTPv1,
 	HTTP,
+	GRE,
 %}
 
 type EncapsulatingConn: record;
diff --git a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
index 277d1df679..ad7154d756 100644
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
@@ -6,6 +6,6 @@
 #open	2014-01-16-21-51-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1341436424.204043	CXWv6p3arKYeMETxOg	72.205.54.70	0	86.106.164.150	0	Tunnel::IP	Tunnel::DISCOVER
-1341436424.204043	CjhGID4nQcgTWjvg4c	10.10.11.2	0	10.10.13.2	0	Tunnel::IP	Tunnel::DISCOVER
+1341436424.204043	CXWv6p3arKYeMETxOg	72.205.54.70	0	86.106.164.150	0	Tunnel::GRE	Tunnel::DISCOVER
+1341436424.204043	CjhGID4nQcgTWjvg4c	10.10.11.2	0	10.10.13.2	0	Tunnel::GRE	Tunnel::DISCOVER
 #close	2014-01-16-21-51-36
diff --git a/testing/btest/Baseline/core.tunnels.gre/tunnel.log b/testing/btest/Baseline/core.tunnels.gre/tunnel.log
index f0d87f4964..066e1fe151 100644
--- a/testing/btest/Baseline/core.tunnels.gre/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gre/tunnel.log
@@ -6,5 +6,5 @@
 #open	2014-01-16-21-51-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1055289968.793044	CXWv6p3arKYeMETxOg	172.27.1.66	0	66.59.109.137	0	Tunnel::IP	Tunnel::DISCOVER
+1055289968.793044	CXWv6p3arKYeMETxOg	172.27.1.66	0	66.59.109.137	0	Tunnel::GRE	Tunnel::DISCOVER
 #close	2014-01-16-21-51-12

From 0b957cbe752df7773dad0d5549e9654f92e18cf9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Mar 2015 14:16:04 -0500
Subject: [PATCH 107/109] Include timestamp in default extracted file names.

And add a policy script to extract all files.

BIT-1335 #close
---
 CHANGES                                       | 11 +++++++++
 NEWS                                          |  3 +++
 VERSION                                       |  2 +-
 scripts/base/files/extract/main.bro           |  3 ++-
 .../frameworks/files/extract-all-files.bro    |  8 +++++++
 scripts/test-all-policy.bro                   |  1 +
 testing/btest/Baseline/plugins.hooks/output   | 24 +++++++++----------
 .../policy/frameworks/files/extract-all.bro   |  2 ++
 8 files changed, 40 insertions(+), 14 deletions(-)
 create mode 100644 scripts/policy/frameworks/files/extract-all-files.bro
 create mode 100644 testing/btest/scripts/policy/frameworks/files/extract-all.bro

diff --git a/CHANGES b/CHANGES
index 926b30c9c0..84f64034ea 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+2.3-539 | 2015-03-13 14:19:27 -0500
+
+  * BIT-1335: Include timestamp in default extracted file names.
+    And add a policy script to extract all files. (Jon Siwek)
+
+  * BIT-1311: Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP.
+    (Jon Siwek)
+
+  * BIT-1309: Add Connection class getter methods for flow labels.
+    (Jon Siwek)
+
 2.3-536 | 2015-03-12 16:16:24 -0500
 
   * Fix Broker leak tests. (Jon Siwek)
diff --git a/NEWS b/NEWS
index 981af20370..4d1539b33c 100644
--- a/NEWS
+++ b/NEWS
@@ -97,6 +97,9 @@ Changed Functionality
 - GRE tunnels are now identified as ``Tunnel::GRE`` instead of
   ``Tunnel::IP``.
 
+- The default name for extracted files changed from extract-protocol-id
+  to extract-timestamp-protocol-id.
+
 - [TODO] Add changed BroControl features.
 
 Deprecated Functionality
diff --git a/VERSION b/VERSION
index c168eac2bd..64cd9fa66f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-536
+2.3-539
diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.bro
index 765263a4d8..7f68a8bcce 100644
--- a/scripts/base/files/extract/main.bro
+++ b/scripts/base/files/extract/main.bro
@@ -53,7 +53,8 @@ function set_limit(f: fa_file, args: Files::AnalyzerArgs, n: count): bool
 function on_add(f: fa_file, args: Files::AnalyzerArgs)
 	{
 	if ( ! args?$extract_filename )
-		args$extract_filename = cat("extract-", f$source, "-", f$id);
+		args$extract_filename = cat("extract-", f$last_active, "-", f$source,
+		                            "-", f$id);
 
 	f$info$extracted = args$extract_filename;
 	args$extract_filename = build_path_compressed(prefix, args$extract_filename);
diff --git a/scripts/policy/frameworks/files/extract-all-files.bro b/scripts/policy/frameworks/files/extract-all-files.bro
new file mode 100644
index 0000000000..7bd7b300e9
--- /dev/null
+++ b/scripts/policy/frameworks/files/extract-all-files.bro
@@ -0,0 +1,8 @@
+##! Extract all files to disk.
+
+@load base/files/extract
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 0fb74f91cf..dc85986172 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -28,6 +28,7 @@
 @load frameworks/intel/seen/where-locations.bro
 @load frameworks/intel/seen/x509.bro
 @load frameworks/files/detect-MHR.bro
+#@load frameworks/files/extract-all-files.bro
 @load frameworks/files/hash-all-files.bro
 @load frameworks/packet-filter/shunt.bro
 @load frameworks/software/version-changes.bro
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 6956f013bc..63f0a87742 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -124,7 +124,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <no result>
@@ -192,7 +192,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -286,8 +286,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -669,7 +669,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
-0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
@@ -737,7 +737,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -831,8 +831,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -1213,7 +1213,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
@@ -1281,7 +1281,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1375,8 +1375,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
diff --git a/testing/btest/scripts/policy/frameworks/files/extract-all.bro b/testing/btest/scripts/policy/frameworks/files/extract-all.bro
new file mode 100644
index 0000000000..f54b2e299d
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/files/extract-all.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace frameworks/files/extract-all-files
+# @TEST-EXEC: grep -q EXTRACT files.log

From 46f7d238889af63dedf86f6db45caabb1396386f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Mar 2015 14:53:11 -0500
Subject: [PATCH 108/109] Fix Broxygen coverage.

---
 scripts/broxygen/__load__.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro
index 8db4a7c1b8..3b78ba8619 100644
--- a/scripts/broxygen/__load__.bro
+++ b/scripts/broxygen/__load__.bro
@@ -5,6 +5,7 @@
 @load frameworks/communication/listen.bro
 @load frameworks/control/controllee.bro
 @load frameworks/control/controller.bro
+@load frameworks/files/extract-all-files.bro
 @load policy/misc/dump-events.bro
 
 @load ./example.bro

From 5e2defebe5da4ba98b0dce5a1aa3460a999f4c0f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Mar 2015 15:44:08 -0500
Subject: [PATCH 109/109] Make INSTALL a symlink to doc/install/install.rst

BIT-1275 #close
---
 CHANGES | 6 ++++++
 INSTALL | 4 +---
 VERSION | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)
 mode change 100644 => 120000 INSTALL

diff --git a/CHANGES b/CHANGES
index 84f64034ea..d491a666e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.3-541 | 2015-03-13 15:44:08 -0500
+
+  * Make INSTALL a symlink to doc/install/install.rst (Jon siwek)
+
+  * Fix Broxygen coverage. (Jon Siwek)
+
 2.3-539 | 2015-03-13 14:19:27 -0500
 
   * BIT-1335: Include timestamp in default extracted file names.
diff --git a/INSTALL b/INSTALL
deleted file mode 100644
index 385dac93df..0000000000
--- a/INSTALL
+++ /dev/null
@@ -1,3 +0,0 @@
-
-See doc/install/install.rst for installation instructions.
-
diff --git a/INSTALL b/INSTALL
new file mode 120000
index 0000000000..95fcc60eda
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1 @@
+doc/install/install.rst
\ No newline at end of file
diff --git a/VERSION b/VERSION
index 64cd9fa66f..711f7a5631 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-539
+2.3-541